Hi Thomás,
aren't you testing old voulnerable version?
If so, try the new one.
--
Pozdrawiam,
Paweł Wielgus.
tel: +48 604 603 546
2017-03-13 10:54 GMT+01:00 Tamás Barta :
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list
2017-03-13 10:54 GMT+01:00 Tamás Barta :
> Lukasz, I don't write it to blame you. I very appreciate your work.
>
> I just write to this list because it seems to me that these OGNL
> expressions are evaluated before my code is executed and I wonder if it can
> be disabled
Sure.
I use annotations, i. e.:
@Service
@Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE)
public class EmptyAction extends AbstractAction {
(AbstractAction extends ActionSupport)
In applicationContext:
I have used my own stack with:
-
The action config is still xml. like:
2017-03-13 16:25 GMT+01:00 Christian Grobmeier :
> Sure.
>
> I use annotations, i. e.:
>
> @Service
> @Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE)
> public class EmptyAction extends AbstractAction {
Looks like you have turned each action in a bean. Can you drop
Hello,
Tried to upload file, and always got the following errors:
Request exceeded allowed size limit! Max size allowed is: 2,097,152 but
request was: 2,463,633!
May I know where I missed the steps please?
struts.xml
extends="security-fix" strict-method-invocation="false">
what version of struts are you using? There was a bug for a version that
limited the size, I believe.
On Mon, Mar 13, 2017 at 7:57 AM, Emi wrote:
> Hello,
>
> Tried to upload file, and always got the following errors:
>
> Request exceeded allowed size limit! Max size
I'm not sure, but I think the tomcat configuration is case sensitive.
Can you please try "maxPostSize" instead of "maxpostsize" in your connector
config?
Have updated to the following and succeeded this time (struts2: most
recent version).
(1) server.xml
Change to maxPostSize
(2)
On Mon, Mar 13, 2017, at 16:31, Lukasz Lenart wrote:
> 2017-03-13 16:25 GMT+01:00 Christian Grobmeier :
> > @Service
> > @Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE)
> > public class EmptyAction extends AbstractAction {
>
> Looks like you have turned each action
I'm not sure, but I think the tomcat configuration is case sensitive.
Can you please try "maxPostSize" instead of "maxpostsize" in your connector
config?
Best Regards
Johannes
#
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep
2017-03-13 16:02 GMT+01:00 Christian Grobmeier :
> Hello all,
>
> I trying to upgrade my Struts app from 2.5.1 to 2.5.10.1.
>
> I saw there are some changes in I18nInterceptor like that:
>
Hello all,
I trying to upgrade my Struts app from 2.5.1 to 2.5.10.1.
I saw there are some changes in I18nInterceptor like that:
https://github.com/apache/struts/commit/ea92e95461386f1ddfda37bb09ec170b8e306ae7#diff-f9eff9d34d35d47f349c7fa0531e51bdR130
My actions extend from ActionSupport, which
Removing @Service helped. In addition I had to remove the remaining
Actions from applicationContext.xml (I am in the middle of a
transition).
It's kind a weird, because it worked with the previous version of
Struts. Was there a change in the injection behavior? I am glad I know
about @Service
2017-03-13 9:40 GMT+01:00 Tamás Barta :
> Hi,
>
> Is there any easy way to receive notification about new releases only.
> Especially I'm interested in security fixes. I can't see such mailing list.
You can subscribe to announcement list [1], then you will get only
2017-03-13 9:41 GMT+01:00 Tamás Barta :
> Hi,
>
> Is there any way to disable evaluating OGNL expressions in HTTP headers and
> request parameters?
There is no direct evaluation of request parameters nor headers. The
problem is that those values are often used by developers
Thanks for reporting back. I've added a notice about it to migration
guide.
This is the original wiki page, struts web page is generated from it:
https://cwiki.apache.org/confluence/display/WW/Struts+2.3+to+2.5+migration
Regards,
Christoph
> From: Paweł Wielgus
> To:
I mean I never want a http header or parameter be handled as OGNL
expression and got evaluated. I would like it to be retrieved as it is. For
security purpose.
On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenart
wrote:
> 2017-03-13 9:41 GMT+01:00 Tamás Barta
The security mechanism mentioned by Lukasz was added in mid 2014. Before
that it was possible to use new in OGNL expressions.
Regards,
Christoph
Vishal Jhagadiawala schrieb am 11.03.2017
00:16:03:
> From: Vishal Jhagadiawala
> To:
Thanks
On Mon, Mar 13, 2017 at 9:42 AM, Lukasz Lenart
wrote:
> 2017-03-13 9:40 GMT+01:00 Tamás Barta :
> > Hi,
> >
> > Is there any easy way to receive notification about new releases only.
> > Especially I'm interested in security fixes. I can't
2017-03-13 9:50 GMT+01:00 Tamás Barta :
> I mean I never want a http header or parameter be handled as OGNL
> expression and got evaluated. I would like it to be retrieved as it is. For
> security purpose.
As I said, Struts doesn't evaluate incoming params as OGNL
Lukasz, I don't write it to blame you. I very appreciate your work.
I just write to this list because it seems to me that these OGNL
expressions are evaluated before my code is executed and I wonder if it can
be disabled anyhow.
Can I turn off these auto-evaluated thinks if I don't need them at
Hi,
Is there any easy way to receive notification about new releases only.
Especially I'm interested in security fixes. I can't see such mailing list.
Thanks,
Tamás
Hi,
Is there any way to disable evaluating OGNL expressions in HTTP headers and
request parameters?
Thanks,
Tamás
Interesting, I don't do such things. I write down the stack trace from
where it is executed (in 2.5.2).
This is the interesting part, there is no my code there.
StrutsPrepareAndExecuteFilter:100 // boolean handled
= execute.executeStaticResourceRequest(request, response);
->
2017-03-13 10:43 GMT+01:00 Tamás Barta :
> Interesting, I don't do such things. I write down the stack trace from
> where it is executed (in 2.5.2).
> This is the interesting part, there is no my code there.
>
> StrutsPrepareAndExecuteFilter:100 //
This is very urgent !
This is regarding a project upgrade where I need to stick with Struts 1 and I
need Tiles 2 as the Spring framework is getting upgraded.
if you have already built the struts-tiles2-1.4.0-SNAPSHOT.jar can you pls send
the same to me? I also have a very different upgrade
This is very urgent
This is regarding a project upgrade where I need to stick with Struts 1 and I
need Tiles 2 as the Spring framework is getting upgraded.
if you have already built the struts-tiles2-1.4.0-SNAPSHOT.jar can you pls send
the same to me? I also have a very different upgrade here.
Sorry, one more thing.
With removing the @Service annotation I delegated the instantiation of
the Actions to Struts as the Spring component scanner will not find my
Bean no more. Struts - to my knowledge - will somehow create the bean
using Spring too.
The problem to use the applicationContext
On Mon, Mar 13, 2017, at 18:26, Lukasz Lenart wrote:
> 2017-03-13 17:55 GMT+01:00 Christian Grobmeier :
> > Removing @Service helped. In addition I had to remove the remaining
> > Actions from applicationContext.xml (I am in the middle of a
> > transition).
> >
> > It's
2017-03-13 19:03 GMT+01:00 Christian Grobmeier :
> Sorry, one more thing.
>
> With removing the @Service annotation I delegated the instantiation of
> the Actions to Struts as the Spring component scanner will not find my
> Bean no more. Struts - to my knowledge - will
2017-03-13 17:55 GMT+01:00 Christian Grobmeier :
> Removing @Service helped. In addition I had to remove the remaining
> Actions from applicationContext.xml (I am in the middle of a
> transition).
>
> It's kind a weird, because it worked with the previous version of
> Struts.
2017-03-13 21:51 GMT+01:00 Christian Grobmeier :
> OK, using component scan i had success with using DefaultLocaleProvider
> as default in my applicationContext.xml:
> class="com.opensymphony.xwork2.DefaultLocaleProvider" primary="true" />
>
> (mind the primary)
>
> So far
https://issues.apache.org/jira/browse/WW-4756
I know that this is for TextProvider but the same approach I can use
for LocaleProvider
2017-03-14 6:53 GMT+01:00 Lukasz Lenart :
> 2017-03-13 21:51 GMT+01:00 Christian Grobmeier :
>> OK, using component
On Mon, Mar 13, 2017, at 19:08, Lukasz Lenart wrote:
> 2017-03-13 19:03 GMT+01:00 Christian Grobmeier :
> > Wether @Service was right or not, I need to somehow tell Spring how to
> > find my beans (i.e. @Component).
> > I can understand Springs confusion, when it realizes
OK, using component scan i had success with using DefaultLocaleProvider
as default in my applicationContext.xml:
(mind the primary)
So far it makes halfway sense to me. A few tests fail still because they
access getText and do no receive a context. Digging into this
On Mon, Mar 13, 2017, at
34 matches
Mail list logo