From commits-return-19406-archive-asf-public=cust-asf.ponee.io@struts.apache.org Sat Dec 12 21:05:54 2020
Return-Path: Announcements 2020
+
The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input +in tag attributes, may lead to remote code execution.
+ +Problem
+ +Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation
+by using the %{...}
syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution
+and security degradation.
Solution
+ +Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression +evaluation won’t lead to the double evaluation.
+ +Please read our Security Bulletin S2-061 for more details.
+ +This vulnerability was identified by:
+All developers are strongly advised to perform this action.
+The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” diff --git a/content/core-developers/accessing-application-session-request-objects.html b/content/core-developers/accessing-application-session-request-objects.html index 5ee2287..d864d0e 100644 --- a/content/core-developers/accessing-application-session-request-objects.html +++ b/content/core-developers/accessing-application-session-request-objects.html @@ -144,16 +144,16 @@
Accessing servlet scopes
Map attr = (Map) ActionContext.getContext().get("attr");
-attr.put("myId",myProp);
+attr.put("myId", myProp); // Page scope.
Map application = (Map) ActionContext.getContext().get("application");
-application.put("myId",myProp);
+application.put("myId", myProp);
Map session = (Map) ActionContext.getContext().get("session");
session.put("myId", myProp);
Map request = (Map) ActionContext.getContext().get("request");
-request.put("myId",myProp);
+request.put("myId", myProp);
@@ -174,18 +174,26 @@ is an alternative way to access the request and response objects, with the sameAccessing from the view (JSP, FreeMarker, etc.)
-Request and session attributes are accessed via OGNL using the
+#session
and#request
stack values.Request and session attributes are accessed via OGNL using the
#session
and#request
stack values. +Page attributes are accessed via OGNL using the#attr
stack value, and Application attributes via +the#application
stack value.The
+doesn’t exist, it will search the request, session, and application scopes, in that order. -#attr
stack value will search thejavax.servlet.jsp.PageContext
for the specified key. If thePageContext
-doean’t exist, it will search the request, session, and application scopes, in that order.Accessing the Session or Request from a JSP
+Accessing attributes in the Application, Session, Request, or Page scope from a JSP
-<s:property value="#session.myId" /> +
diff --git a/content/core-developers/default-properties.html b/content/core-developers/default-properties.html index ecf0b38..0b3762f 100644 --- a/content/core-developers/default-properties.html +++ b/content/core-developers/default-properties.html @@ -267,10 +267,6 @@ struts.mapper.action.prefix.enabled = false ### Blocks access to actions in other namespace than current with action: prefix struts.mapper.action.prefix.crossNamespaces = false -### use alternative syntax that requires %{} in most places -### to evaluate expressions for String attributes for tags -struts.tag.altSyntax=true - ### when set to true, Struts will act much more friendly for developers. This ### includes: ### - struts.i18n.reload = true diff --git a/content/index.html b/content/index.html index f3a6a18..2d5adae 100644 --- a/content/index.html +++ b/content/index.html @@ -145,28 +145,28 @@Retrieve the attribute (property), with key myId, from the specified scope: + +<s:property value="#application.myId" /> + +<s:property value="#session.myId" /> <s:property value="#request.myId" /> <s:property value="#attr.myId" /> + +Reminder: attr is for Page scope attributes first, but will search the remaining scopes, in order, seeking a match.
-Google's Patch Reward program
-During SFHTML5 Google announced that - they extend their program to cover the Apache Struts project as well. Now you can earn - money preparing patches for us! - read more +
Apache Struts 2.5.26 GA
++ Apache Struts 2.5.26 GA has been released
+ Read more in Announcement or in + Version notes
on 06 December 2020.-Security Advice S2-058 released
+Security Advice S2-061 released
- A number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges. - Read more in - Announcement + Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. + Read more in + Announcement
-Apache Struts 2.5.26 GA
-- Apache Struts 2.5.26 GA has been released
on 06 December 2020. +Google's Patch Reward program
+During SFHTML5 Google announced that + they extend their program to cover the Apache Struts project as well. Now you can earn + money preparing patches for us! + read more
- Read more in Announcement or in - Version notesdiff --git a/content/tag-developers/set-tag.html b/content/tag-developers/set-tag.html index 3b508f0..33cd79a 100644 --- a/content/tag-developers/set-tag.html +++ b/content/tag-developers/set-tag.html @@ -151,11 +151,12 @@ the body evaluates is set as value for the scoped variable.session
- the value will be set in session scope according to servlet spec. using the name as keyrequest
- the value will be set in request scope according to servlet spec. using the name as key- page
- the value will be set in page scope according to servlet spec. using the name as key+ action
- the value will be set in the request scope and Struts’ action context using the name as keyaction
- the value will be set in the page scope and Struts’ action context using the name as key-NOTE: If no scope is specified, it will default to
+action
scope.NOTE: If no scope is specified, it will default to
action
scope. For theset
tag specifically, this also +places (sets) the generated value into thepage
scope as well.Assigns a value to a variable in a specified scope
diff --git a/content/tag-developers/text-tag.html b/content/tag-developers/text-tag.html index f3ddb56..d7cd171 100644 --- a/content/tag-developers/text-tag.html +++ b/content/tag-developers/text-tag.html @@ -218,6 +218,11 @@ If no value is found on the stack, the key of the message will be written out. +++NOTE: When the
+var
attribute is used with thetext
tag, the tag’s generated value will not be written out to the +visible page (it will only be placed into the action scope).Examples
diff --git a/content/tag-developers/url-tag.html b/content/tag-developers/url-tag.html index 220d33f..6306d5b 100644 --- a/content/tag-developers/url-tag.html +++ b/content/tag-developers/url-tag.html @@ -321,6 +321,11 @@ because the parameter defined in theparam
+++NOTE: When the
+var
attribute is used with theurl
tag, the tag’s generated URL value will be placed into the request scope +in addition to the action scope.Examples
<!-- Example 1 -->