Re: OGNL expressions in headers and parameters

Hi Thomás, aren't you testing old voulnerable version? If so, try the new one. -- Pozdrawiam, Paweł Wielgus. tel: +48 604 603 546 2017-03-13 10:54 GMT+01:00 Tamás Barta : > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list

Re: OGNL expressions in headers and parameters

2017-03-13 10:54 GMT+01:00 Tamás Barta : > Lukasz, I don't write it to blame you. I very appreciate your work. > > I just write to this list because it seems to me that these OGNL > expressions are evaluated before my code is executed and I wonder if it can > be disabled

Re: LocaleProvder not unique

Sure. I use annotations, i. e.: @Service @Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE) public class EmptyAction extends AbstractAction { (AbstractAction extends ActionSupport) In applicationContext: I have used my own stack with: - The action config is still xml. like:

Re: LocaleProvder not unique

2017-03-13 16:25 GMT+01:00 Christian Grobmeier : > Sure. > > I use annotations, i. e.: > > @Service > @Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE) > public class EmptyAction extends AbstractAction { Looks like you have turned each action in a bean. Can you drop

Request exceeded allowed size limit! Max size allowed is: 2,097,152

Hello, Tried to upload file, and always got the following errors: Request exceeded allowed size limit! Max size allowed is: 2,097,152 but request was: 2,463,633! May I know where I missed the steps please? struts.xml extends="security-fix" strict-method-invocation="false">

Re: Request exceeded allowed size limit! Max size allowed is: 2,097,152

what version of struts are you using? There was a bug for a version that limited the size, I believe. On Mon, Mar 13, 2017 at 7:57 AM, Emi wrote: > Hello, > > Tried to upload file, and always got the following errors: > > Request exceeded allowed size limit! Max size

Re: Request exceeded allowed size limit! Max size allowed is: 2,097,152

I'm not sure, but I think the tomcat configuration is case sensitive. Can you please try "maxPostSize" instead of "maxpostsize" in your connector config? Have updated to the following and succeeded this time (struts2: most recent version). (1) server.xml Change to maxPostSize (2)

Re: LocaleProvder not unique

On Mon, Mar 13, 2017, at 16:31, Lukasz Lenart wrote: > 2017-03-13 16:25 GMT+01:00 Christian Grobmeier : > > @Service > > @Scope(value = ConfigurableBeanFactory.SCOPE_PROTOTYPE) > > public class EmptyAction extends AbstractAction { > > Looks like you have turned each action

Re: Request exceeded allowed size limit! Max size allowed is: 2,097,152

I'm not sure, but I think the tomcat configuration is case sensitive. Can you please try "maxPostSize" instead of "maxpostsize" in your connector config? Best Regards Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep

Re: LocaleProvder not unique

2017-03-13 16:02 GMT+01:00 Christian Grobmeier : > Hello all, > > I trying to upgrade my Struts app from 2.5.1 to 2.5.10.1. > > I saw there are some changes in I18nInterceptor like that: >

LocaleProvder not unique

Hello all, I trying to upgrade my Struts app from 2.5.1 to 2.5.10.1. I saw there are some changes in I18nInterceptor like that: https://github.com/apache/struts/commit/ea92e95461386f1ddfda37bb09ec170b8e306ae7#diff-f9eff9d34d35d47f349c7fa0531e51bdR130 My actions extend from ActionSupport, which

Re: LocaleProvder not unique

Removing @Service helped. In addition I had to remove the remaining Actions from applicationContext.xml (I am in the middle of a transition). It's kind a weird, because it worked with the previous version of Struts. Was there a change in the injection behavior? I am glad I know about @Service

Re: New releases

2017-03-13 9:40 GMT+01:00 Tamás Barta : > Hi, > > Is there any easy way to receive notification about new releases only. > Especially I'm interested in security fixes. I can't see such mailing list. You can subscribe to announcement list [1], then you will get only

Re: OGNL expressions in headers and parameters

2017-03-13 9:41 GMT+01:00 Tamás Barta : > Hi, > > Is there any way to disable evaluating OGNL expressions in HTTP headers and > request parameters? There is no direct evaluation of request parameters nor headers. The problem is that those values are often used by developers

Re: Struts 2.3.28 and Tiles issue

Thanks for reporting back. I've added a notice about it to migration guide. This is the original wiki page, struts web page is generated from it: https://cwiki.apache.org/confluence/display/WW/Struts+2.3+to+2.5+migration Regards, Christoph > From: Paweł Wielgus > To:

Re: OGNL expressions in headers and parameters

I mean I never want a http header or parameter be handled as OGNL expression and got evaluated. I would like it to be retrieved as it is. For security purpose. On Mon, Mar 13, 2017 at 9:44 AM, Lukasz Lenart wrote: > 2017-03-13 9:41 GMT+01:00 Tamás Barta

Re: issue with getting current date using date tag in latest struts 2.3.3X

The security mechanism mentioned by Lukasz was added in mid 2014. Before that it was possible to use new in OGNL expressions. Regards, Christoph Vishal Jhagadiawala schrieb am 11.03.2017 00:16:03: > From: Vishal Jhagadiawala > To:

Re: New releases

Thanks On Mon, Mar 13, 2017 at 9:42 AM, Lukasz Lenart wrote: > 2017-03-13 9:40 GMT+01:00 Tamás Barta : > > Hi, > > > > Is there any easy way to receive notification about new releases only. > > Especially I'm interested in security fixes. I can't

Re: OGNL expressions in headers and parameters

2017-03-13 9:50 GMT+01:00 Tamás Barta : > I mean I never want a http header or parameter be handled as OGNL > expression and got evaluated. I would like it to be retrieved as it is. For > security purpose. As I said, Struts doesn't evaluate incoming params as OGNL

Re: OGNL expressions in headers and parameters

Lukasz, I don't write it to blame you. I very appreciate your work. I just write to this list because it seems to me that these OGNL expressions are evaluated before my code is executed and I wonder if it can be disabled anyhow. Can I turn off these auto-evaluated thinks if I don't need them at

New releases

Hi, Is there any easy way to receive notification about new releases only. Especially I'm interested in security fixes. I can't see such mailing list. Thanks, Tamás

OGNL expressions in headers and parameters

Hi, Is there any way to disable evaluating OGNL expressions in HTTP headers and request parameters? Thanks, Tamás

Re: OGNL expressions in headers and parameters

Interesting, I don't do such things. I write down the stack trace from where it is executed (in 2.5.2). This is the interesting part, there is no my code there. StrutsPrepareAndExecuteFilter:100 // boolean handled = execute.executeStaticResourceRequest(request, response); ->

Re: OGNL expressions in headers and parameters

2017-03-13 10:43 GMT+01:00 Tamás Barta : > Interesting, I don't do such things. I write down the stack trace from > where it is executed (in 2.5.2). > This is the interesting part, there is no my code there. > > StrutsPrepareAndExecuteFilter:100 //

RE: Struts 1.x and Strtus2.x With Tiles 2.x

This is very urgent ! This is regarding a project upgrade where I need to stick with Struts 1 and I need Tiles 2 as the Spring framework is getting upgraded. if you have already built the struts-tiles2-1.4.0-SNAPSHOT.jar can you pls send the same to me? I also have a very different upgrade

Re: Using tiles 2 with struts 1

This is very urgent This is regarding a project upgrade where I need to stick with Struts 1 and I need Tiles 2 as the Spring framework is getting upgraded. if you have already built the struts-tiles2-1.4.0-SNAPSHOT.jar can you pls send the same to me? I also have a very different upgrade here.

Re: LocaleProvder not unique

Sorry, one more thing. With removing the @Service annotation I delegated the instantiation of the Actions to Struts as the Spring component scanner will not find my Bean no more. Struts - to my knowledge - will somehow create the bean using Spring too. The problem to use the applicationContext

Re: LocaleProvder not unique

On Mon, Mar 13, 2017, at 18:26, Lukasz Lenart wrote: > 2017-03-13 17:55 GMT+01:00 Christian Grobmeier : > > Removing @Service helped. In addition I had to remove the remaining > > Actions from applicationContext.xml (I am in the middle of a > > transition). > > > > It's

Re: LocaleProvder not unique

2017-03-13 19:03 GMT+01:00 Christian Grobmeier : > Sorry, one more thing. > > With removing the @Service annotation I delegated the instantiation of > the Actions to Struts as the Spring component scanner will not find my > Bean no more. Struts - to my knowledge - will

Re: LocaleProvder not unique

2017-03-13 17:55 GMT+01:00 Christian Grobmeier : > Removing @Service helped. In addition I had to remove the remaining > Actions from applicationContext.xml (I am in the middle of a > transition). > > It's kind a weird, because it worked with the previous version of > Struts.

Re: LocaleProvder not unique

2017-03-13 21:51 GMT+01:00 Christian Grobmeier : > OK, using component scan i had success with using DefaultLocaleProvider > as default in my applicationContext.xml: > class="com.opensymphony.xwork2.DefaultLocaleProvider" primary="true" /> > > (mind the primary) > > So far

Re: LocaleProvder not unique

https://issues.apache.org/jira/browse/WW-4756 I know that this is for TextProvider but the same approach I can use for LocaleProvider 2017-03-14 6:53 GMT+01:00 Lukasz Lenart : > 2017-03-13 21:51 GMT+01:00 Christian Grobmeier : >> OK, using component

Re: LocaleProvder not unique

On Mon, Mar 13, 2017, at 19:08, Lukasz Lenart wrote: > 2017-03-13 19:03 GMT+01:00 Christian Grobmeier : > > Wether @Service was right or not, I need to somehow tell Spring how to > > find my beans (i.e. @Component). > > I can understand Springs confusion, when it realizes

Re: LocaleProvder not unique

OK, using component scan i had success with using DefaultLocaleProvider as default in my applicationContext.xml: (mind the primary) So far it makes halfway sense to me. A few tests fail still because they access getText and do no receive a context. Digging into this On Mon, Mar 13, 2017, at