struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
Date Sat, 26 Apr 2014 04:33:22 GMT
2014-04-25 17:39 GMT+02:00 Emi Lu <emilu@encs.concordia.ca>:
> On 04/25/2014 10:56 AM, Lukasz Lenart wrote:
>>
>> You can create one abstract package and all other packages can inherit
>> from it - the same as you inherit from "tiles-default"
>>>
>>> So,  another way to do the change would be:
>>>
>>> <package name="top" extends="tiles-default">
>>> ..... //Coding for [1]
>>> </package>
>>>
>>> <package name="p1" namespace="/n1" extends="top">
>>>
>>> ......
>>> <package name="pN" namespace="/nN" extends="top">
>>>
>>> Is it correct?
>>
>> This is the preferred approach
>>
>>> Or, if I keep "extends=tiles-default", by adding "interceptors(coding for
>>> [1])" to p1...pN as shown below will do the job, right?
>>
>> Yes, but package inheriting was designed to avoid such situations -
>> you can also inherit from many packages eg. extends="top,
>> tiles-default"
>>
>> http://struts.apache.org/release/2.3.x/docs/package-configuration.html#PackageConfiguration-Inheritfrommorethanonepackage
>
> Got it and make the changes below ( I do not use struts-default, so extends
> tiles-default):
>
>     <package name="top" extends="tiles-default" abstract="true">
>
>       <interceptors>
>         <interceptor-stack name="secureDefaultStack">
>             <interceptor-ref name="defaultStack">
>                 <param
> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
>             </interceptor-ref>
>         </interceptor-stack>
>     </interceptors>
>
>     <default-interceptor-ref name="secureDefaultStack" />
>    </package>
>
>
> Reason do two: when new libs are ready, will just remove top and keep
> tiles-default.
>
> <package name="p1" namespace="/n1" extends="tiles-default,top">
> ......
> <package name="pN" namespace="/nN" extends="tiles-default,top">
>
> If there were anything should be updated, please let me know. Otherwise, I
> will adopt this approach and deploy to all config files.

Just for the records: tiles-default is basically struts-default with
tiles result defined in. Recommended approach is to create your own
packages and stacks with the exact set of interceptors eg. not every
page needs support for file upload. But for most small apps using
"defaults" is also a right solution.

[1] http://struts.apache.org/release/2.3.x/docs/performance-tuning.html


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message