Author: lukaszlenart
Date: Tue Sep 1 06:16:08 2015
New Revision: 963803
Log:
Updates production
Modified:
websites/production/struts/content/docs/dispatcher-result.html
websites/production/struts/content/docs/localization.html
websites/production/struts/content/docs/s2-025.html
Modified: websites/production/struts/content/docs/dispatcher-result.html
==============================================================================
--- websites/production/struts/content/docs/dispatcher-result.html (original)
+++ websites/production/struts/content/docs/dispatcher-result.html Tue Sep 1
06:16:08 2015
@@ -138,16 +138,32 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent">
-<div class="error"><span class="error">Error formatting macro: snippet:
java.lang.IndexOutOfBoundsException: Index: 20, Size: 20</span> </div>
-
-<h2 id="DispatcherResult-Parameters">Parameters</h2>
-
-<div class="error"><span class="error">Error formatting macro: snippet:
java.lang.IndexOutOfBoundsException: Index: 20, Size: 20</span> </div>
-
-<h2 id="DispatcherResult-Examples">Examples</h2>
-
-<div class="error"><span class="error">Error formatting macro: snippet:
java.lang.IndexOutOfBoundsException: Index: 20, Size: 20</span> </div></div>
+ <div id="ConfluenceContent"><p></p><p>
+Includes or forwards to a view (usually a jsp). Behind the scenes Struts
+will use a RequestDispatcher, where the target servlet/JSP receives the same
+request/response objects as the original servlet/JSP. Therefore, you can pass
+data between them using request.setAttribute() - the Struts action is
+available.
+</p>
+
+<p></p><p>
+There are three possible ways the result can be executed:
+</p>
+
+<p></p><ul></ul><p></p><ul><li>If we are in the scope of a JSP (a PageContext
is available), PageContext's
+{@link PageContext#include(String) include} method is
called.</li></ul><p></p><ul><li>If there is no PageContext and we're not in any
sort of include (there is no
+"javax.servlet.include.servlet_path" in the request attributes), then a call to
+{@link RequestDispatcher#forward(javax.servlet.ServletRequest,
javax.servlet.ServletResponse) forward}
+is made.</li></ul><p></p><ul><li>Otherwise, {@link
RequestDispatcher#include(javax.servlet.ServletRequest,
javax.servlet.ServletResponse) include}
+is called.</li></ul><p></p><h2
id="DispatcherResult-Parameters">Parameters</h2><p>
+</p><p></p><ul></ul><p></p><ul><li><b>location (default)</b> - the location to
go to after execution (ex. jsp).</li></ul><p></p><ul><li><b>parse</b> - true by
default. If set to false, the location param will not be parsed for Ognl
expressions.</li></ul><p></p>
+<h2 id="DispatcherResult-Examples">Examples</h2><p></p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="brush: xml; gutter: false; theme: Default"
type="syntaxhighlighter"><![CDATA[
+<result name="success" type="dispatcher">
+ <param name="location">foo.jsp</param>
+</result>
+]]></script>
+</div></div></div>
</div>
Modified: websites/production/struts/content/docs/localization.html
==============================================================================
--- websites/production/struts/content/docs/localization.html (original)
+++ websites/production/struts/content/docs/localization.html Tue Sep 1
06:16:08 2015
@@ -138,10 +138,19 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="Localization-Overview">Overview</h2><p>The framework supports
internationalization (i18n) in the following places:</p><ol><li>the <a
shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and Errors from
the <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html";>ValidationAware</a>
interface (implemented by <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html";>ActionSupport</a>
and <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html";>ValidationAwareSupport</a>)</li><li>Within
action classes that extend <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/A
ctionSupport.html">ActionSupport</a> through the getText() method</li></ol><h2
id="Localization-ResourceBundleSearchOrder">Resource Bundle Search
Order</h2><p></p><p>Resource bundles are searched in the following order:</p>
+ <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1441088113804 {padding: 0px;}
+div.rbtoc1441088113804 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1441088113804 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1441088113804">
+<ul class="toc-indentation"><li><a shape="rect"
href="#Localization-Overview">Overview</a></li><li><a shape="rect"
href="#Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</a>
+<ul class="toc-indentation"><li><a shape="rect"
href="#Localization-Defaultaction'sclass">Default action's class</a></li><li><a
shape="rect" href="#Localization-UsinggetTextfromaTag">Using getText from a
Tag</a></li><li><a shape="rect" href="#Localization-Usingthetexttag">Using the
text tag</a></li><li><a shape="rect" href="#Localization-UsingtheI18ntag">Using
the I18n tag</a></li><li><a shape="rect"
href="#Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI
Tags</a></li></ul>
+</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n
Interceptor</a></li><li><a shape="rect"
href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a
shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates
and Numbers</a></li><li><a shape="rect"
href="#Localization-ComparisonwithStruts1">Comparison with Struts
1</a></li><li><a shape="rect" href="#Localization-Next:">Next: Type
Conversion</a></li></ul>
+</div><h2 id="Localization-Overview">Overview</h2><p>The framework supports
internationalization (i18n) in the following places:</p><ol><li>the <a
shape="rect" href="ui-tags.html">UI Tags</a></li><li>Messages and Errors from
the <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAware.html";>ValidationAware</a>
interface (implemented by <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html";>ActionSupport</a>
and <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ValidationAwareSupport.html";>ValidationAwareSupport</a>)</li><li>Within
action classes that extend <a shape="rect" class="external-link"
href="http://struts.apache.org/2.0.6/struts2-core/apidocs/index.html?com/opensymphony/xwork2/ActionSupport.html";>ActionSupport</
a> through the getText() method</li></ol><h2
id="Localization-ResourceBundleSearchOrder">Resource Bundle Search
Order</h2><p></p><p></p><p>Resource bundles are searched in the following
order:</p>
<p></p><ol><li>ActionClass.properties</li><li>Interface.properties (every
interface and sub-interface)</li><li>BaseClass.properties (all the way to
Object.properties)</li><li>ModelDriven's model (if implements ModelDriven), for
the model object repeat from 1</li><li>package.properties (of the directory
where class is located and every parent directory all the way to the root
directory)</li><li>search up the i18n message key hierarchy
itself</li><li>global resource properties</li></ol>
-<p>For more, see the LocalizedTextUtil class.</p><div
class="confluence-information-macro confluence-information-macro-tip"><p
class="title">Package hierarchy</p><span class="aui-icon aui-icon-small
aui-iconfont-approve confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p></p><p>To clarify #5, while
traversing the package hierarchy, Struts 2 will look for a file
package.properties:</p>
+For more, see the LocalizedTextUtil class.<div
class="confluence-information-macro confluence-information-macro-tip"><p
class="title">Package hierarchy</p><span class="aui-icon aui-icon-small
aui-iconfont-approve confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p></p><p></p><p>To clarify #5, while
traversing the package hierarchy, Struts 2 will look for a file
package.properties:</p>
com/<br clear="none">
  acme/<br clear="none">
    package.properties<br clear="none">
@@ -184,7 +193,7 @@ not found com/acme/package.properties, i
]]></script>
</div></div><div class="confluence-information-macro
confluence-information-macro-tip"><span class="aui-icon aui-icon-small
aui-iconfont-approve confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Internationalizing SiteMesh
decorators is possible, but there are quirks. See <a shape="rect"
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=33343";>SiteMesh
Plugin</a> for more.</p></div></div><h3
id="Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI
Tags</h3><p>The key attribute of most UI tags can be used to retrieve a message
from a resource bundle:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;"><s:textfield key="some.key"
name="textfieldName"/></pre>
-</div></div><h2 id="Localization-I18nInterceptor">I18n
Interceptor</h2><p>Essentially, the i18n Interceptor pushes a locale into the
ActionContext map upon every request. The framework components that support
localization all utilize the ActionContext locale. See <a shape="rect"
href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2
id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in
<code>struts.properties</code></h2><p></p><p>
+</div></div><h2 id="Localization-I18nInterceptor">I18n
Interceptor</h2><p>Essentially, the i18n Interceptor pushes a locale into the
ActionContext map upon every request. The framework components that support
localization all utilize the ActionContext locale. See <a shape="rect"
href="i18n-interceptor.html">I18n Interceptor</a> for details.</p><h2
id="Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global
Resources (struts.custom.i18n.resources) in
<code>struts.properties</code></h2><p></p><p></p><p>
A global resource bundle could be specified programmatically, as well as the
locale.
</p><h2 id="Localization-FormattingDatesandNumbers">Formatting Dates and
Numbers</h2><p>See <a shape="rect"
href="formatting-dates-and-numbers.html">Formatting Dates and Numbers</a> for
more details and examples.</p><h2
id="Localization-ComparisonwithStruts1">Comparison with Struts 1</h2><p>Struts
1 users should be familiar with the application.properties resource bundle,
where you can put all the messages in the application that are going to be
translated. Struts 2, though, splits the resource bundles per action or model
class, and you may end up with duplicated messages in those resource bundles. A
quick fix for that is to create a file called ActionSupport.properties in
com/opensymphony/xwork2 and put it on your classpath. This will only work well
if all your actions subclass XWork2's ActionSupport.</p><h2
id="Localization-Next:">Next: <a shape="rect" href="type-conversion.html">Type
Conversion</a></h2></div>
</div>
Modified: websites/production/struts/content/docs/s2-025.html
==============================================================================
--- websites/production/struts/content/docs/s2-025.html (original)
+++ websites/production/struts/content/docs/s2-025.html Tue Sep 1 06:16:08 2015
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug
Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site
scripting vulnerability </span>when debug mode is switched on in production
environment.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Turn off debug mode in production
environment. An upgr
ade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2320";>Struts 2.3.20</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki
Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions an arbitrary script may be executed in the
'Problem Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is g
enerally not advisable to have debug mode switched on outside of the
development environment. Debug mode should always be turned off in production
setup. Also never expose JSPs files directly and hide them
inside <code>WEB-INF</code> folder or define dedicated security
constraints to block access to raw JSP files. Please also ready
our <a shape="rect" href="security.html">Security</a> guide - it
contains useful informations how to secure your application.</p><p>Struts >=
2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts
2.3.20 or higher.</p><h2 id="S2-025-Backwardcompatibility">Backward
compatibility</h2><p>No backward compatibility problems are expected.</p><h2
id="S2-025-Workaround">Workaround</h2><p>Upgrade to Struts 2.3.20</p><p><span
style="font-size: 14.0px;line-height: 1.4285715;"><br
clear="none"></span></p></div>
+ <div id="ConfluenceContent"><h2
id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug
Mode and in exposed JSP files<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site
scripting vulnerability </span>when debug mode is switched on or JSPs are
exposed in production environment.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Turn off
debug mode in production environment, apply tips from Security guideline to
secure JSPs. An upgrade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2320";>Struts 2.3.20</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);"><span
style="color: rgb(34,34,34);">Takayoshi Isayama, Mitsui Bussan Secure
Directions, Inc. (vulnerability with JSPs)</span></span></p><p><span
style="color: rgb(34,34,34);">anonymous (vulnerability with
devMode)</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceT
d"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions an arbitrary script may be executed in the
'Problem Report' screen. Also if JSP files are exposed to be accessed directly
it's possible to execute an arbitrary script.</p><h2
id="S2-025-Solution">Solution</h2><p>It is generally not advisable to have
debug mode switched on outside of the development environment. Debug mode
should always be turned off in production setup. Also never expose JSPs files
directly and hide them inside <code>WEB-INF</code> folder or define
dedicated security constraints to block access to raw JSP files. Please
also read our <a shape="rect" href="security.html">Security</a> guide
- it contains useful informations how to secure your application.</p><p>Struts
>= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts
2.3.20 or higher.</p><h2 id="S2-025
-Backwardcompatibility">Backward compatibility</h2><p>No backward
compatibility problems are expected.</p><h2
id="S2-025-Workaround">Workaround</h2><p>Upgrade to Struts 2.3.20</p><p><span
style="font-size: 14.0px;line-height: 1.4285715;"><br
clear="none"></span></p></div>
</div>
