struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [struts-site] branch asf-staging updated: Updates stage by Jenkins
Date Sat, 12 Dec 2020 21:05:51 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new a619706  Updates stage by Jenkins
a619706 is described below

commit a6197063abea8681b1ce337acdaecda3ed2b7d5f
Author: jenkins <builds@apache.org>
AuthorDate: Sat Dec 12 21:05:47 2020 +0000

    Updates stage by Jenkins
---
 content/announce.html                              | 27 +++++++++++++++++++++
 ...essing-application-session-request-objects.html | 22 +++++++++++------
 content/core-developers/default-properties.html    |  4 ----
 content/index.html                                 | 28 +++++++++++-----------
 content/tag-developers/set-tag.html                |  5 ++--
 content/tag-developers/text-tag.html               |  5 ++++
 content/tag-developers/url-tag.html                |  5 ++++
 7 files changed, 69 insertions(+), 27 deletions(-)

diff --git a/content/announce.html b/content/announce.html
index ec1c806..9dcb38d 100644
--- a/content/announce.html
+++ b/content/announce.html
@@ -132,6 +132,7 @@
     <h1 class="no_toc" id="announcements-2020">Announcements 2020</h1>
 
 <ul id="markdown-toc">
+  <li><a href="#a20201208" id="markdown-toc-a20201208">08 December 2020 - Potential
RCE when using forced evaluation - CVE-2020-17530</a></li>
   <li><a href="#a20201206" id="markdown-toc-a20201206">06 December 2020 - Struts
2.5.26 General Availability</a></li>
   <li><a href="#a20200928" id="markdown-toc-a20200928">28 September 2020 - Struts
2.5.25 General Availability</a></li>
   <li><a href="#a20200813" id="markdown-toc-a20200813">13 August 2020 - Security
Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues</a></li>
@@ -141,6 +142,32 @@
   Skip to: <a href="announce-2019.html">Announcements - 2019</a>
 </p>
 
+<h4 id="a20201208">08 December 2020 - Potential RCE when using forced evaluation -
CVE-2020-17530</h4>
+
+<p>The Apache Struts Security team would like to announce that forced OGNL evaluation,
when evaluated on raw user input 
+in tag attributes, may lead to remote code execution.</p>
+
+<p><strong>Problem</strong></p>
+
+<p>Some of the tag’s attributes could perform a double evaluation if a developer
applied forced OGNL evaluation 
+by using the <code class="highlighter-rouge">%{...}</code> syntax. Using forced
OGNL evaluation on untrusted user input can lead to a Remote Code Execution 
+and security degradation.</p>
+
+<p><strong>Solution</strong></p>
+
+<p>Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts
2.5.26 which checks if expression 
+evaluation won’t lead to the double evaluation.</p>
+
+<p>Please read our Security Bulletin <a href="https://cwiki.apache.org/confluence/display/WW/S2-061">S2-061</a>
for more details.</p>
+
+<p>This vulnerability was identified by:</p>
+<ul>
+  <li>Alvaro Munoz - pwntester at github dot com</li>
+  <li>Masato Anzai of Aeye Security Lab, inc.</li>
+</ul>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
 <h4 id="a20201206">06 December 2020 - Struts 2.5.26 General Availability</h4>
 
 <p>The Apache Struts group is pleased to announce that Struts 2.5.26 is available as
a “General Availability”
diff --git a/content/core-developers/accessing-application-session-request-objects.html b/content/core-developers/accessing-application-session-request-objects.html
index 5ee2287..d864d0e 100644
--- a/content/core-developers/accessing-application-session-request-objects.html
+++ b/content/core-developers/accessing-application-session-request-objects.html
@@ -144,16 +144,16 @@
 <p><strong>Accessing servlet scopes</strong></p>
 
 <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span
class="n">Map</span> <span class="n">attr</span> <span class="o">=</span>
<span class="o">(</span><span class="n">Map</span><span class="o">)</span>
<span class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span class="na">get</span><span
class="o">(</span><span class="s">"attr"</span><span class="o">);</span>
-<span class="n">attr</span><span class="o">.</span><span class="na">put</span><span
class="o">(</span><span class="s">"myId"</span><span class="o">,</span><span
class="n">myProp</span><span class="o">);</span>
+<span class="n">attr</span><span class="o">.</span><span class="na">put</span><span
class="o">(</span><span class="s">"myId"</span><span class="o">,</span>
<span class="n">myProp</span><span class="o">);</span>  <span class="c1">//
Page scope.</span>
 
 <span class="n">Map</span> <span class="n">application</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span class="na">get</span><span
class="o">(</span><span class="s">"application"</span><span class="o">);</span>
-<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span><span class="n">myProp</span><span class="o">);</span>
+<span class="n">application</span><span class="o">.</span><span
class="na">put</span><span class="o">(</span><span class="s">"myId"</span><span
class="o">,</span> <span class="n">myProp</span><span class="o">);</span>
 
 <span class="n">Map</span> <span class="n">session</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span class="na">get</span><span
class="o">(</span><span class="s">"session"</span><span class="o">);</span>
 <span class="n">session</span><span class="o">.</span><span class="na">put</span><span
class="o">(</span><span class="s">"myId"</span><span class="o">,</span>
<span class="n">myProp</span><span class="o">);</span>
 
 <span class="n">Map</span> <span class="n">request</span> <span
class="o">=</span> <span class="o">(</span><span class="n">Map</span><span
class="o">)</span> <span class="n">ActionContext</span><span class="o">.</span><span
class="na">getContext</span><span class="o">().</span><span class="na">get</span><span
class="o">(</span><span class="s">"request"</span><span class="o">);</span>
-<span class="n">request</span><span class="o">.</span><span class="na">put</span><span
class="o">(</span><span class="s">"myId"</span><span class="o">,</span><span
class="n">myProp</span><span class="o">);</span>
+<span class="n">request</span><span class="o">.</span><span class="na">put</span><span
class="o">(</span><span class="s">"myId"</span><span class="o">,</span>
<span class="n">myProp</span><span class="o">);</span>
 </code></pre></div></div>
 
 <blockquote>
@@ -174,18 +174,26 @@ is an alternative way to access the request and response objects, with
the same
 
 <h2 id="accessing-from-the-view-jsp-freemarker-etc">Accessing from the view (JSP, FreeMarker,
etc.)</h2>
 
-<p>Request and session attributes are accessed via OGNL using the <code class="highlighter-rouge">#session</code>
and <code class="highlighter-rouge">#request</code> stack values.</p>
+<p>Request and session attributes are accessed via OGNL using the <code class="highlighter-rouge">#session</code>
and <code class="highlighter-rouge">#request</code> stack values.
+Page attributes are accessed via OGNL using the <code class="highlighter-rouge">#attr</code>
stack value, and Application attributes via
+the <code class="highlighter-rouge">#application</code> stack value.</p>
 
 <p>The <code class="highlighter-rouge">#attr</code> stack value will search
the <code class="highlighter-rouge">javax.servlet.jsp.PageContext</code> for the
specified key. If the <code class="highlighter-rouge">PageContext</code>
-doean’t exist, it will search the request, session, and application scopes, in that order.</p>
+doesn’t exist, it will search the request, session, and application scopes, in that order.</p>
 
-<p><strong>Accessing the Session or Request from a JSP</strong></p>
+<p><strong>Accessing attributes in the Application, Session, Request, or Page
scope from a JSP</strong></p>
 
-<pre><code class="language-jsp">&lt;s:property value="#session.myId" /&gt;
+<pre><code class="language-jsp">Retrieve the attribute (property), with key myId,
from the specified scope:
+
+&lt;s:property value="#application.myId" /&gt;
+
+&lt;s:property value="#session.myId" /&gt;
 
 &lt;s:property value="#request.myId" /&gt;
 
 &lt;s:property value="#attr.myId" /&gt;
+
+Reminder: attr is for Page scope attributes first, but will search the remaining scopes,
in order, seeking a match.
 </code></pre>
 
   </section>
diff --git a/content/core-developers/default-properties.html b/content/core-developers/default-properties.html
index ecf0b38..0b3762f 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -267,10 +267,6 @@ struts.mapper.action.prefix.enabled = false
 ### Blocks access to actions in other namespace than current with action: prefix
 struts.mapper.action.prefix.crossNamespaces = false
 
-### use alternative syntax that requires %{} in most places
-### to evaluate expressions for String attributes for tags
-struts.tag.altSyntax=true
-
 ### when set to true, Struts will act much more friendly for developers. This
 ### includes:
 ### - struts.i18n.reload = true
diff --git a/content/index.html b/content/index.html
index f3a6a18..2d5adae 100644
--- a/content/index.html
+++ b/content/index.html
@@ -145,28 +145,28 @@
   <div class="col-md-12">
     <div class="row">
       <div class="column col-md-4">
-        <h2>Google's Patch Reward program</h2>
-        <p>During <a href="http://www.meetup.com/sfhtml5/">SFHTML5</a>
Google announced that
-          they extend their program to cover the Apache Struts project as well. Now you can
earn
-          money preparing patches for us!
-          <a href="submitting-patches.html#googles-patch-reward-program">read more</a>
+        <h2>Apache Struts 2.5.26 GA</h2>
+        <p>
+          Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
         </p>
+        Read more in <a href="announce.html#a20201206">Announcement</a> or in
+        <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26">Version
notes</a>
       </div>
       <div class="column col-md-4">
-        <h2>Security Advice S2-058 released</h2>
+        <h2>Security Advice S2-061 released</h2>
         <p>
-            A number of historic Struts Security Bulletins and related CVE database entries
contained incorrect affected release version ranges.
-            Read more in
-          <a href="announce#a20200813">Announcement</a>
+          Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may
lead to remote code execution.
+          Read more in
+          <a href="announce#a20201208">Announcement</a>
         </p>
       </div>
       <div class="column col-md-4">
-        <h2>Apache Struts 2.5.26 GA</h2>
-        <p>
-          Apache Struts 2.5.26 GA has been released<br/>on 06 December 2020.
+        <h2>Google's Patch Reward program</h2>
+        <p>During <a href="http://www.meetup.com/sfhtml5/">SFHTML5</a>
Google announced that
+          they extend their program to cover the Apache Struts project as well. Now you can
earn
+          money preparing patches for us!
+          <a href="submitting-patches.html#googles-patch-reward-program">read more</a>
         </p>
-        Read more in <a href="announce.html#a20201206">Announcement</a> or in
-        <a href="https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26">Version
notes</a>
       </div>
     </div>
     <div class="row">
diff --git a/content/tag-developers/set-tag.html b/content/tag-developers/set-tag.html
index 3b508f0..33cd79a 100644
--- a/content/tag-developers/set-tag.html
+++ b/content/tag-developers/set-tag.html
@@ -151,11 +151,12 @@ the body evaluates is set as value for the scoped variable.</p>
   <li><code class="highlighter-rouge">session</code> - the value will be
set in session scope according to servlet spec. using the name as key</li>
   <li><code class="highlighter-rouge">request</code> - the value will be
set in request scope according to servlet spec. using the name as key</li>
   <li><code class="highlighter-rouge">page</code> - the value will be set
in page scope according to servlet spec. using the name as key</li>
-  <li><code class="highlighter-rouge">action</code> - the value will be
set in the request scope and Struts’ action context using the name as key</li>
+  <li><code class="highlighter-rouge">action</code> - the value will be
set in the page scope and Struts’ action context using the name as key</li>
 </ul>
 
 <blockquote>
-  <p><strong>NOTE</strong>: If no scope is specified, it will default to
<code class="highlighter-rouge">action</code> scope.</p>
+  <p><strong>NOTE</strong>: If no scope is specified, it will default to
<code class="highlighter-rouge">action</code> scope.  For the <code class="highlighter-rouge">set</code>
tag <strong>specifically</strong>, this also
+places (sets) the generated value into the <code class="highlighter-rouge">page</code>
scope as well.</p>
 </blockquote>
 
 <p>Assigns a value to a variable in a specified scope</p>
diff --git a/content/tag-developers/text-tag.html b/content/tag-developers/text-tag.html
index f3ddb56..d7cd171 100644
--- a/content/tag-developers/text-tag.html
+++ b/content/tag-developers/text-tag.html
@@ -218,6 +218,11 @@ If no value is found on the stack, the key of the message will be written
out.</
         </tr>
 </table>
 
+<blockquote>
+  <p><strong>NOTE</strong>: When the <code class="highlighter-rouge">var</code>
attribute is used with the <code class="highlighter-rouge">text</code> tag, the
tag’s generated value <strong>will not</strong> be written out to the
+visible page (it will only be placed into the action scope).</p>
+</blockquote>
+
 <h2 id="examples">Examples</h2>
 
 <blockquote>
diff --git a/content/tag-developers/url-tag.html b/content/tag-developers/url-tag.html
index 220d33f..6306d5b 100644
--- a/content/tag-developers/url-tag.html
+++ b/content/tag-developers/url-tag.html
@@ -321,6 +321,11 @@ because the parameter defined in the <code class="highlighter-rouge">param</code
         </tr>
 </table>
 
+<blockquote>
+  <p><strong>NOTE</strong>: When the <code class="highlighter-rouge">var</code>
attribute is used with the <code class="highlighter-rouge">url</code> tag, the
tag’s generated URL value will be placed into the request scope
+<strong>in addition to</strong> the action scope.</p>
+</blockquote>
+
 <h2 id="examples">Examples</h2>
 
 <pre><code class="language-jsp">&lt;!-- Example 1 --&gt;


Mime
View raw message