From commits-return-19406-archive-asf-public=cust-asf.ponee.io@struts.apache.org Sat Dec 12 21:05:54 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 33D40180648 for ; Sat, 12 Dec 2020 22:05:54 +0100 (CET) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 6414E65833 for ; Sat, 12 Dec 2020 21:05:53 +0000 (UTC) Received: (qmail 22020 invoked by uid 500); 12 Dec 2020 21:05:52 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 22011 invoked by uid 99); 12 Dec 2020 21:05:52 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 12 Dec 2020 21:05:52 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 9F96E81ADE; Sat, 12 Dec 2020 21:05:51 +0000 (UTC) Date: Sat, 12 Dec 2020 21:05:51 +0000 To: "commits@struts.apache.org" Subject: [struts-site] branch asf-staging updated: Updates stage by Jenkins MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <160780715139.5419.16294132409167258922@gitbox.apache.org> From: git-site-role@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: struts-site X-Git-Refname: refs/heads/asf-staging X-Git-Reftype: branch X-Git-Oldrev: c94ea3f2e15d5e00af629be84d1dd8ce53f33fc2 X-Git-Newrev: a6197063abea8681b1ce337acdaecda3ed2b7d5f X-Git-Rev: a6197063abea8681b1ce337acdaecda3ed2b7d5f X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-staging in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-staging by this push: new a619706 Updates stage by Jenkins a619706 is described below commit a6197063abea8681b1ce337acdaecda3ed2b7d5f Author: jenkins AuthorDate: Sat Dec 12 21:05:47 2020 +0000 Updates stage by Jenkins --- content/announce.html | 27 +++++++++++++++++++++ ...essing-application-session-request-objects.html | 22 +++++++++++------ content/core-developers/default-properties.html | 4 ---- content/index.html | 28 +++++++++++----------- content/tag-developers/set-tag.html | 5 ++-- content/tag-developers/text-tag.html | 5 ++++ content/tag-developers/url-tag.html | 5 ++++ 7 files changed, 69 insertions(+), 27 deletions(-) diff --git a/content/announce.html b/content/announce.html index ec1c806..9dcb38d 100644 --- a/content/announce.html +++ b/content/announce.html @@ -132,6 +132,7 @@

Announcements 2020

    +
  • 08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530
  • 06 December 2020 - Struts 2.5.26 General Availability
  • 28 September 2020 - Struts 2.5.25 General Availability
  • 13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues
    • @@ -141,6 +142,32 @@ Skip to: Announcements - 2019

    +

    08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530

    + +

    The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input +in tag attributes, may lead to remote code execution.

    + +

    Problem

    + +

    Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation +by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution +and security degradation.

    + +

    Solution

    + +

    Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression +evaluation won’t lead to the double evaluation.

    + +

    Please read our Security Bulletin S2-061 for more details.

    + +

    This vulnerability was identified by:

    +
      +
    • Alvaro Munoz - pwntester at github dot com
      • +
    • Masato Anzai of Aeye Security Lab, inc.
      • +
    + +

    All developers are strongly advised to perform this action.

    +

    06 December 2020 - Struts 2.5.26 General Availability

    The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” diff --git a/content/core-developers/accessing-application-session-request-objects.html b/content/core-developers/accessing-application-session-request-objects.html index 5ee2287..d864d0e 100644 --- a/content/core-developers/accessing-application-session-request-objects.html +++ b/content/core-developers/accessing-application-session-request-objects.html @@ -144,16 +144,16 @@

    Accessing servlet scopes

    Map attr = (Map) ActionContext.getContext().get("attr");
-attr.put("myId",myProp);
+attr.put("myId", myProp);  // Page scope.
 
 Map application = (Map) ActionContext.getContext().get("application");
-application.put("myId",myProp);
+application.put("myId", myProp);
 
 Map session = (Map) ActionContext.getContext().get("session");
 session.put("myId", myProp);
 
 Map request = (Map) ActionContext.getContext().get("request");
-request.put("myId",myProp);
+request.put("myId", myProp);
    @@ -174,18 +174,26 @@ is an alternative way to access the request and response objects, with the same

    Accessing from the view (JSP, FreeMarker, etc.)

    -

    Request and session attributes are accessed via OGNL using the #session and #request stack values.

    +

    Request and session attributes are accessed via OGNL using the #session and #request stack values. +Page attributes are accessed via OGNL using the #attr stack value, and Application attributes via +the #application stack value.

    The #attr stack value will search the javax.servlet.jsp.PageContext for the specified key. If the PageContext -doean’t exist, it will search the request, session, and application scopes, in that order.

    +doesn’t exist, it will search the request, session, and application scopes, in that order.

    -

    Accessing the Session or Request from a JSP

    +

    Accessing attributes in the Application, Session, Request, or Page scope from a JSP

    -
    <s:property value="#session.myId" />
+
    Retrieve the attribute (property), with key myId, from the specified scope:
+
+<s:property value="#application.myId" />
+
+<s:property value="#session.myId" />
 
 <s:property value="#request.myId" />
 
 <s:property value="#attr.myId" />
+
+Reminder: attr is for Page scope attributes first, but will search the remaining scopes, in order, seeking a match.
 
    
 
   
diff --git a/content/core-developers/default-properties.html b/content/core-developers/default-properties.html
index ecf0b38..0b3762f 100644
--- a/content/core-developers/default-properties.html
+++ b/content/core-developers/default-properties.html
@@ -267,10 +267,6 @@ struts.mapper.action.prefix.enabled = false
 ### Blocks access to actions in other namespace than current with action: prefix
 struts.mapper.action.prefix.crossNamespaces = false
 
-### use alternative syntax that requires %{} in most places
-### to evaluate expressions for String attributes for tags
-struts.tag.altSyntax=true
-
 ### when set to true, Struts will act much more friendly for developers. This
 ### includes:
 ### - struts.i18n.reload = true
diff --git a/content/index.html b/content/index.html
index f3a6a18..2d5adae 100644
--- a/content/index.html
+++ b/content/index.html
@@ -145,28 +145,28 @@
   
    
     
    
       
    
-        
    Google's Patch Reward program
    
-        
    During SFHTML5 Google announced that
-          they extend their program to cover the Apache Struts project as well. Now you can earn
-          money preparing patches for us!
-          read more
+        
    Apache Struts 2.5.26 GA
    
+        
    
+          Apache Struts 2.5.26 GA has been released
    on 06 December 2020.
         
    
+        Read more in Announcement or in
+        Version notes
       
    
       
    
-        
    Security Advice S2-058 released
    
+        
    Security Advice S2-061 released
    
         
    
-            A number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges.
-            Read more in
-          Announcement
+          Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
+          Read more in
+          Announcement
         
    
       
    
       
    
-        
    Apache Struts 2.5.26 GA
    
-        
    
-          Apache Struts 2.5.26 GA has been released
    on 06 December 2020.
+        
    Google's Patch Reward program
    
+        
    During SFHTML5 Google announced that
+          they extend their program to cover the Apache Struts project as well. Now you can earn
+          money preparing patches for us!
+          read more
         
    
-        Read more in Announcement or in
-        Version notes
       
    
     
    
     
    
diff --git a/content/tag-developers/set-tag.html b/content/tag-developers/set-tag.html
index 3b508f0..33cd79a 100644
--- a/content/tag-developers/set-tag.html
+++ b/content/tag-developers/set-tag.html
@@ -151,11 +151,12 @@ the body evaluates is set as value for the scoped variable.
    
   
  • session - the value will be set in session scope according to servlet spec. using the name as key
    • 
   
  • request - the value will be set in request scope according to servlet spec. using the name as key
    • 
   
  • page - the value will be set in page scope according to servlet spec. using the name as key
    • 
-  
  • action - the value will be set in the request scope and Struts’ action context using the name as key
    • 
+  
  • action - the value will be set in the page scope and Struts’ action context using the name as key
    •
-

NOTE: If no scope is specified, it will default to action scope.

+

NOTE: If no scope is specified, it will default to action scope. For the set tag specifically, this also +places (sets) the generated value into the page scope as well.

Assigns a value to a variable in a specified scope

diff --git a/content/tag-developers/text-tag.html b/content/tag-developers/text-tag.html index f3ddb56..d7cd171 100644 --- a/content/tag-developers/text-tag.html +++ b/content/tag-developers/text-tag.html @@ -218,6 +218,11 @@ If no value is found on the stack, the key of the message will be written out. +
+

NOTE: When the var attribute is used with the text tag, the tag’s generated value will not be written out to the +visible page (it will only be placed into the action scope).

+
+

Examples

diff --git a/content/tag-developers/url-tag.html b/content/tag-developers/url-tag.html index 220d33f..6306d5b 100644 --- a/content/tag-developers/url-tag.html +++ b/content/tag-developers/url-tag.html @@ -321,6 +321,11 @@ because the parameter defined in the param +
+

NOTE: When the var attribute is used with the url tag, the tag’s generated URL value will be placed into the request scope +in addition to the action scope.

+
+

Examples

<!-- Example 1 -->