Return-Path: X-Original-To: apmail-struts-commits-archive@minotaur.apache.org Delivered-To: apmail-struts-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9BCBD106E5 for ; Thu, 6 Mar 2014 08:10:08 +0000 (UTC) Received: (qmail 28592 invoked by uid 500); 6 Mar 2014 08:10:06 -0000 Delivered-To: apmail-struts-commits-archive@struts.apache.org Received: (qmail 28071 invoked by uid 500); 6 Mar 2014 08:10:01 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 26540 invoked by uid 99); 6 Mar 2014 08:09:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Mar 2014 08:09:53 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Mar 2014 08:09:48 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2568623889E3 for ; Thu, 6 Mar 2014 08:09:28 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r900210 [2/2] - /websites/production/struts/content/release/2.3.x/docs/ Date: Thu, 06 Mar 2014 08:09:27 -0000 To: commits@struts.apache.org From: lukaszlenart@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20140306080928.2568623889E3@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: websites/production/struts/content/release/2.3.x/docs/migration-guide.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/migration-guide.html (original) +++ websites/production/struts/content/release/2.3.x/docs/migration-guide.html Thu Mar 6 08:09:26 2014 @@ -125,57 +125,7 @@ under the License.
-

-

Getting here from there.

- -

Version Notes 2.3.x

- - - - -

Version Notes 2.2.x

- - - - -

Version Notes 2.1.x

- - - - -

Release Notes 2.0.x

- - - - -

Struts 1 to Struts 2

- -

Comparing Struts 1 and 2

How are Struts 1 and Struts 2 alike? How are they different?

Struts 1 Solutions

Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.

Migration Strategies

Steps and overall strategies for migrating Struts 1 applications to Struts 2.

Migration Tools

Development tools to help aid the migration process.

- - -

Tutorials

- -

Migrating Applications to Struts 2

A three-part series by Ian Roughley (Sep 2006)

- - -

Roadmap

- -

Roadmap FAQ

What's in store for Struts 2?

A History of Struts 2

Don Brown's summary of events

- - - -

Webwork 2.2 to Struts 2

- -

Key Changes From WebWork 2

What has been removed or changed from WebWork 2.2 to Struts 2

WebWork 2 Migration Strategies

Steps and overall strategies for migrating WebWork 2 applications to Struts 2.

- - - -

FAQs

- - - - -

Next: Contributors Guide

+

Getting here from there.

Version Notes 2.3.x

Version Notes 2.2.x

Version Notes 2.1.x

Release Notes 2.0.x

Struts 1 to Struts 2

Comparing Struts 1 and 2

How are Struts 1 and Struts 2 alike? How are they different?

Struts 1 Solutions

Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.

Migration Strategies

Steps and overall strategies for migrating Struts 1 applications to Struts 2.

Migration Tools

Development tools to help aid the migration process.

Tutorials

Migrating Applications to Struts 2

A three-part series by Ian Roughley (Sep 2006)

Roadmap

Roadmap FAQ

What's in store for Struts 2?

A History of Struts 2

Don Brown's summary of events

Webwork 2.2 to Struts 2

Key Changes From WebWork 2

What has been removed or changed from WebWork 2.2 to Struts 2

WebWork 2 Migration Strategies

Steps and overall strategies for migrating WebWork 2 applications to Struts 2.

FAQs

Next: Contributors Guide

@@ -360,6 +310,9 @@ under the License. $page.link($child) (Apache Struts 2 Documentation)
+ $page.link($child) + (Apache Struts 2 Documentation) +
Modified: websites/production/struts/content/release/2.3.x/docs/one-time-steps.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/one-time-steps.html (original) +++ websites/production/struts/content/release/2.3.x/docs/one-time-steps.html Thu Mar 6 08:09:26 2014 @@ -136,11 +136,11 @@ under the License.

Content

+/*]]>*/
  • 1 Content
    • 1.1 Keys and configuration Modified: websites/production/struts/content/release/2.3.x/docs/rest-plugin.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/rest-plugin.html (original) +++ websites/production/struts/content/release/2.3.x/docs/rest-plugin.html Thu Mar 6 08:09:26 2014 @@ -145,11 +145,11 @@ under the License.
      +/*]]>*/
      • 1 Overview
        • 1.1 Features
        • 1.2 Mapping REST URLs to Struts 2 Actions Added: websites/production/struts/content/release/2.3.x/docs/s2-020.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/s2-020.html (added) +++ websites/production/struts/content/release/2.3.x/docs/s2-020.html Thu Mar 6 08:09:26 2014 @@ -0,0 +1,157 @@ + + + + + + + + + + + + + + + S2-020 + + + + + + + +
          +  Home > Security Bulletins > S2-020 + +
          + + + + + + +
          +
          + +
          +
          + + +
          Apache Struts 2 Documentation
          +
          S2-020
          + +
          + + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
          +
          + +
          +
          +

          Summary

          Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)

          Who should read this

          All Struts 2 developers and users

          Impact of vulnerability

          DoS attacks and ClassLoader manipulation

          Maximum security rating

          Important

          Recommendation

          Developers should immediately upgrade to Struts 2.3.16.1

          Affected Software

          Struts 2.0.0 - Struts 2.3.16

          Reporter

          Mark Thomas (markt at apache.org),Przemysław Celej (p-celej at o2.pl)

          CVE Identifier

          CVE-2014-0050 (DoS), CVE-2014-0094 (ClassLoader manipulation)

          Problem

          The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

          Solution

          In Struts 2.3.16.1, Commons FileUpload was updated to version 1.3.1 and "class" was added to excludeParams in struts-default.xml configuration of ParametersInterceptor.

          Backward compatibility

          No backward compatibility problems are expected.

          Workaround

          If you cannot upgrade to version 2.3.16.1 which is strongly advised, you can apply below workarounds:

          Upgrade commons-fileupload

          The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by r eplacing the commons-fileupload jar file in WEB-INF/lib with the updated jar. For Maven
          based Struts 2 projects, the following dependency needs to be added:

          + +

          Exclude 'class' parameter

          Simple add '^class\.*' to the list of excludeParams as below

          + +
          +
          + + +
          +
          +
          + Generated by CXF SiteExporter +
          + + \ No newline at end of file Modified: websites/production/struts/content/release/2.3.x/docs/sample-announcements.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/sample-announcements.html (original) +++ websites/production/struts/content/release/2.3.x/docs/sample-announcements.html Thu Mar 6 08:09:26 2014 @@ -127,11 +127,11 @@ under the License.

          Content

          +/*]]>*/
          Modified: websites/production/struts/content/release/2.3.x/docs/security-bulletins.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/security-bulletins.html (original) +++ websites/production/struts/content/release/2.3.x/docs/security-bulletins.html Thu Mar 6 08:09:26 2014 @@ -126,7 +126,7 @@ under the License.

          The following security bulletins are available:

          -
          • S2-001Remote code exploit on form validation error
          • S2-002Cross site scripting (XSS) vulnerability on and tags
          • S2-003XWork ParameterInterceptors bypass allows OGNL statement execution
          • S2-004Directory traversal vulnerability while serving static content
          • S2-005XWork ParameterInterceptors bypass allows remote command execution
          • S2-006Multiple Cross-Site Scripting (XSS) in XWork generated error pages
          • S2-007User input is evaluated as an OGNL expression when there's a conversion error
          • S2-008Multiple critical vulnerabilities in Struts2
          • S2-009ParameterInterceptor vulnerability allows remote command execution
          • S2-010When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
          • S2-011Long request parameter names might significantly promote the effectiveness of DOS attacks
          • S2-012Showcase app vulnerability allows remote command execution
          • S2-013A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
          • S2-014A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
          • S2-015A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
          • S2-016A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
          • S2-017A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
          • S2-018Broken Access Control Vulnerability in Apache Struts2
          • S2-019Dynamic Method Invocation disabled by default
          +
          • S2-001Remote code exploit on form validation error
          • S2-002Cross site scripting (XSS) vulnerability on and tags
          • S2-003XWork ParameterInterceptors bypass allows OGNL statement execution
          • S2-004Directory traversal vulnerability while serving static content
          • S2-005XWork ParameterInterceptors bypass allows remote command execution
          • S2-006Multiple Cross-Site Scripting (XSS) in XWork generated error pages
          • S2-007User input is evaluated as an OGNL expression when there's a conversion error
          • S2-008Multiple critical vulnerabilities in Struts2
          • S2-009ParameterInterceptor vulnerability allows remote command execution
          • S2-010When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes
          • S2-011Long request parameter names might significantly promote the effectiveness of DOS attacks
          • S2-012Showcase app vulnerability allows remote command execution
          • S2-013A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution
          • S2-014A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
          • S2-015A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.
          • S2-016A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution
          • S2-017A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects
          • S2-018Broken Access Control Vulnerability in Apache Struts2
          • S2-019Dynamic Method Invocation disabled by default
          • S2-020Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)
          @@ -194,6 +194,9 @@ under the License. $page.link($child) (Apache Struts 2 Documentation)
          + $page.link($child) + (Apache Struts 2 Documentation) +
          Modified: websites/production/struts/content/release/2.3.x/docs/struts-2-blank-archetype.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/struts-2-blank-archetype.html (original) +++ websites/production/struts/content/release/2.3.x/docs/struts-2-blank-archetype.html Thu Mar 6 08:09:26 2014 @@ -145,11 +145,11 @@ under the License.

          Contents

          +/*]]>*/
          • 1 Creating Our blank-archetype Project
          • 2 Project Structure Modified: websites/production/struts/content/release/2.3.x/docs/struts-2-maven-archetypes.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/struts-2-maven-archetypes.html (original) +++ websites/production/struts/content/release/2.3.x/docs/struts-2-maven-archetypes.html Thu Mar 6 08:09:26 2014 @@ -139,11 +139,11 @@ under the License.

            Contents

            +/*]]>*/
            • 1 Quickstart
            • 2 Available Archetypes
            • 3 Creating an Application Using a Maven Archetype Modified: websites/production/struts/content/release/2.3.x/docs/struts-2-spring-2-jpa-ajax.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/struts-2-spring-2-jpa-ajax.html (original) +++ websites/production/struts/content/release/2.3.x/docs/struts-2-spring-2-jpa-ajax.html Thu Mar 6 08:09:26 2014 @@ -154,11 +154,11 @@ under the License.
              +/*]]>*/
              • Prerequisites
              • Get the code Modified: websites/production/struts/content/release/2.3.x/docs/type-conversion.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/type-conversion.html (original) +++ websites/production/struts/content/release/2.3.x/docs/type-conversion.html Thu Mar 6 08:09:26 2014 @@ -139,11 +139,11 @@ under the License.

                Routine type conversion in the framework is transparent. Generally, all you need to do is ensure that HTML inputs have names that can be used in OGNL expressions. (HTML inputs are form elements and other GET/POST parameters.)

                +/*]]>*/
                • 1 Built in Type Conversion Support
                • 2 Relationship to Parameter Names
                • 3 Creating a Type Converter
                • 4 Applying a Type Converter to an Action
                • 5 Applying a Type Converter to a bean or model
                • 6 Applying a Type Converter for an application
                • 7 A Simple Example
                • 8 Advanced Type Conversion
                  • 8.1 Null Property Handling
                  • 8.2 Collection and Map Support Modified: websites/production/struts/content/release/2.3.x/docs/using-freemarker-templates.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/using-freemarker-templates.html (original) +++ websites/production/struts/content/release/2.3.x/docs/using-freemarker-templates.html Thu Mar 6 08:09:26 2014 @@ -138,11 +138,11 @@ under the License.

                    FreeMarker is a Java-based template engine that is a great alternative to JSP. FreeMarker is ideal for situations where your action results can possibly be loaded from outside a Servlet container. For example, if you wished to support plugins in your application, you might wish to use FreeMarker so that the plugins could provide the entire action class and view in a single jar that is loaded from the classloader.

                    +/*]]>*/
                    • Configure your action to use the "freemarker" result type
                    • Using properties
                    • Servlet / JSP Scoped Objects
                    • Template Loading
                    • Variable Resolution
                    • FreeMarker configuration
                    • Tags Modified: websites/production/struts/content/release/2.3.x/docs/validation.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/validation.html (original) +++ websites/production/struts/content/release/2.3.x/docs/validation.html Thu Mar 6 08:09:26 2014 @@ -137,11 +137,11 @@ under the License.

                      Struts 2 validation is configured via XML or annotations. Manual validation in the action is also possible, and may be combined with XML and annotation-driven validation.

                      Validation also depends on both the validation and workflow interceptors (both are included in the default interceptor stack). The validation interceptor does the validation itself and creates a list of field-specific errors. The workflow interceptor checks for the presence of validation errors: if any are found, it returns the "input" result (by default), taking the user back to the form which contained the validation errors.

                      If we're using the default settings and our action doesn't have an "input" result defined and there are validation (or, incidentally, type conversion) errors, we'll get an error message back telling us there's no "input" result defined for the action.

                      CONT ENTS

                      +/*]]>*/

                      Added: websites/production/struts/content/release/2.3.x/docs/version-notes-23161.html ============================================================================== --- websites/production/struts/content/release/2.3.x/docs/version-notes-23161.html (added) +++ websites/production/struts/content/release/2.3.x/docs/version-notes-23161.html Thu Mar 6 08:09:26 2014 @@ -0,0 +1,166 @@ + + + + + + + + + + + + + + + + Version Notes 2.3.16.1 + + + + + + + +
                      +  Home > Guides > Migration Guide > Version Notes 2.3.16.1 + +
                      + + + + + + +
                      +
                      + +
                      +
                      + + +
                      Apache Struts 2 Documentation
                      +
                      Version Notes 2.3.16.1
                      + +
                      + + + Edit Page +   + + + Browse Space +   + + + Add Page +   + + + Add News +
                      +
                      + +
                      +
                      +

                      (tick) These are the notes for the Struts 2.3.16.1 distribution.

                      (tick) For prior notes in this release series, see Version Notes 2.3.16

                      • If you are a Maven user, you might want to get started using the Maven Archetype.
                      • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
                      Maven Dependency
                      + +

                      You can also use Struts Archetype Catalog like below

                      Struts Archetype Catalog
                      + +
                      Staging Repository
                      + +

                      Internal Changes

                      • Upgrades Commons FileUpload to version 1.3.1 to prevent DoS attacks, more details can be found here and here
                      • Excludes 'class' parameter name to avoid ClassLoader manipulation via ParametersInterceptor

                      Issue Detail

                      Issue List

                      Other resources

                      +
                      + + +
                      +
                      +
                      + Generated by CXF SiteExporter +
                      + + \ No newline at end of file