Author: lukaszlenart
Date: Thu Mar 17 08:32:29 2016
New Revision: 982993
Log:
Updates production
Added:
websites/production/struts/content/docs/version-notes-2326.html
Removed:
websites/production/struts/content/docs/version-notes-2325.html
Modified:
websites/production/struts/content/docs/s2-028.html
websites/production/struts/content/docs/s2-029.html
websites/production/struts/content/docs/s2-030.html
websites/production/struts/content/docs/security.html
Modified: websites/production/struts/content/docs/s2-028.html
==============================================================================
--- websites/production/struts/content/docs/s2-028.html (original)
+++ websites/production/struts/content/docs/s2-028.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder
implementation may lead to XSS vulnerability in Struts 2 based web
applications.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting
vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major
version, preferably 1.8.
Alternatively upgrade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2325";>Struts
2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect"
class="external-link" href="http://whitehatsec.com";
rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color:
rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2
id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such
as ISO-8895-1, an attacker might submit a non-spec URL-encoded p
arameter value including multi-byte characters.</p><p>Struts 2 used the
standard JRE URLDecoder to decode parameter values. <span>Especially JRE
1.5's URLDecoder implementation seems to be broken to the point that this
non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed,
best known solution is found in JRE 1.8.</span></p><h2
id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the
most recent 1.8 version.</p><p>Alternatively <span style="line-height:
1.42857;">upgrade to Struts 2.3.25, which includes and uses a safe URLDecoder
implementation from Apache Tomcat</span></p><h2
id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues
expected when upgrading to Struts 2.3.25</p><h2
id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter
encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
+ <div id="ConfluenceContent"><h2
id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder
implementation may lead to XSS vulnerability in Struts 2 based web
applications.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting
vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major
version, preferably 1.8.
Alternatively upgrade to <a shape="rect" href="version-notes-2326.html">Struts
2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect"
class="external-link" href="http://whitehatsec.com";
rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color:
rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2
id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such
as ISO-8895-1, an attacker might submit a non-spec URL-encoded parameter value
including multi-byte characters.
</p><p>Struts 2 used the standard JRE URLDecoder to decode parameter
values. <span>Especially JRE 1.5's URLDecoder implementation seems to be
broken to the point that this non-spec encoding isn't rejected / filtered. In
later JREs the issue was fixed, best known solution is found in JRE
1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime
JRE/JDK, preferably to the most recent 1.8
version.</p><p>Alternatively <span style="line-height: 1.42857;">upgrade
to Struts 2.3.26, which includes and uses a safe URLDecoder implementation from
Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2
id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter
encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
.jira-issue {
padding: 0 0 0 2px;
line-height: 20px;
Modified: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (original)
+++ websites/production/struts/content/docs/s2-029.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user
input in tag's attributes.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values
when re-assigning them to certain Struts' tags attributes. Alternative
ly upgrade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2325";>Struts
2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com
- <a shape="rect" class="external-link" href="http://www.coverity.com/";
rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span style="color:
rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double
evaluation of attributes' values assigned
to certain tags so it is possible to pass in a value that will be evaluated
again when a tag's attributes will be rendered.</p><h2
id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value
that's coming in and it's used in tag's
attributes. Alternatively <span style="line-height: 1.42857;">upgrade
to Struts 2.3.25.</span></p><h2 id="S2-029-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2
id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
+ <div id="ConfluenceContent"><h2
id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user
input in tag's attributes.<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values
when re-assigning them to certain Struts' tags attributes. Alternative
ly upgrade to <a shape="rect" href="version-notes-2326.html">Struts
2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com
- <a shape="rect" class="external-link" href="http://www.coverity.com/";
rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span style="color:
rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2
id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double
evaluation of attributes' values assigned to certain tags so it is possible to
pass in a
value that will be evaluated again when a tag's attributes will be
rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper
validation of each value that's coming in and it's used in tag's
attributes. Alternatively <span style="line-height: 1.42857;">upgrade
to Struts 2.3.26.</span></p><h2 id="S2-029-Backwardcompatibility">Backward
compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2
id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
</div>
Modified: websites/production/struts/content/docs/s2-030.html
==============================================================================
--- websites/production/struts/content/docs/s2-030.html (original)
+++ websites/production/struts/content/docs/s2-030.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in
<code>I18NInterceptor</code><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible XSS
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code>
object constructed by <code>I18NInterceptor</code> as it may contain user
specific string which may leads
to XSS vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris
dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/";
rel="nofollow">M<span>iliaris</span></a><span> </span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2
id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses
<code>I18NInterceptor</code> to allow users and developers switch language used
in the framework and an application built on top of it. The problem is that the
in
terceptor doesn't perform any validation of the user input and accept
arbitrary string which can be used by a developer to display language selected
by the user. However, the framework doesn't expose the value directly in
UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language
selected by user based on <code>I18NInterceptor</code> always escape the string
before presenting it to the user. Alternatively <span
style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2
id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues
expected when upgrading to Struts 2.3.25</p><h2
id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a
shape="rect" class="external-link"
href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html";>StringEscapeUtils</a>
from the Apache Commons to escape the string.</p></div>
+ <div id="ConfluenceContent"><h2
id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in
<code>I18NInterceptor</code><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Who should read this</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>All Struts 2 developers and
users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Possible XSS
vulnerability</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code>
object constructed by <code>I18NInterceptor</code> as it may contain user
specific string which may leads
to XSS vulnerability. Alternatively upgrade to <a shape="rect"
href="version-notes-2326.html">Struts 2.3.26</a>.</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span
style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti
at miliaris dot it - <a shape="rect" class="external-link"
href="http://www.miliaris.it/";
rel="nofollow">M<span>iliaris</span></a><span> </span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2
id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses
<code>I18NInterceptor</code> to allow users and developers switch
language used in the framework and an application built on top of it. The
problem is that the interceptor doesn't perform any validation of the user
input and accept arbitrary string which can be used by a developer to display
language selected by the user. However, the framework doesn't expose the value
directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present
language selected by user based on <code>I18NInterceptor</code> always escape
the string before presenting it to the user. Alternatively <span
style="line-height: 1.42857;">upgrade to Struts 2.3.26.</span></p><h2
id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues
expected when upgrading to Struts 2.3.26</p><h2
id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a
shape="rect" class="external-link"
href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html";>StringEscapeUtils</a>
from the Apache Common
s to escape the string.</p></div>
</div>
Modified: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (original)
+++ websites/production/struts/content/docs/security.html Thu Mar 17 08:32:29
2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1457693901922 {padding: 0px;}
-div.rbtoc1457693901922 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693901922 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1458203471142 {padding: 0px;}
+div.rbtoc1458203471142 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1458203471142 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693901922">
+/*]]>*/</style></p><div class="toc-macro rbtoc1458203471142">
<ul class="toc-indentation"><li><a shape="rect"
href="#Security-Securitytips">Security tips</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config
Browser</a></li><li><a shape="rect"
href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix
different access levels in the same namespace</a></li><li><a shape="rect"
href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files
directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable
devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8
encoding</a></li></ul>
</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal
security mechanism</a>
@@ -177,7 +177,7 @@ div.rbtoc1457693901922 li {margin-left:
<description>Don't assign users to this role</description>
<role-name>no-users</role-name>
</security-role></pre>
-</div></div><p>The best approach is to used the both solutions.</p><h4
id="Security-DisabledevMode">Disable devMode</h4><p>The <code
style="line-height: 1.4285715;">devMode</code> is very useful option back can
expose your application presenting too many informations of application's
internals. Please always disable the <code>devMode</code> before deploying
your application to a production environment.</p><h4
id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always
use <code>UTF-8</code> encoding when building an application with the
Apache Struts 2, when using JSPs please add the following header to each JSP
file</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>The best approach is to used the both solutions.</p><h4
id="Security-DisabledevMode">Disable devMode</h4><p>The <code
style="line-height: 1.4285715;">devMode</code> is a very useful option during
development time, allowing for deep introspection and debugging into you
app.</p><p>However, in production it exposes your application to be presenting
too many informations on application's internals or to evaluating risky
parameter expressions.</p><div class="confluence-information-macro
confluence-information-macro-note"><p class="title">How to disable devMode in
production</p><span class="aui-icon aui-icon-small aui-iconfont-warning
confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>Please <strong>always
disable <code>devMode</code></strong> before deploying your
application to a production environment. While it is disabled by default, your
struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production
deployment:</p><pre><span><</span><span style="color:
rgb(0,0,128);">constant </span><span style="color:
rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode"
</span><span style="color: rgb(0,0,255);">value</span><span style="color:
rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><p> </p><h4
id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always
use <code>UTF-8</code> encoding when building an application with the
Apache Struts 2, when using JSPs please add the following header to each JSP
file</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><%@ page contentType="text/html; charset=UTF-8"
%></pre>
</div></div><h3 id="Security-Internalsecuritymechanism">Internal security
mechanism</h3><p>The Apache Struts 2 contains internal security manager which
blocks access to particular classes and Java packages - it's a OGNL-wide
mechanism which means it affects any aspect of the framework ie. incoming
parameters, expressions used in JSPs, etc.</p><p>There are three options that
can be used to configure excluded packages and classes:</p><ul
style="list-style-type: square;"><li><code>struts.excludedClasses</code> -
comma-separated list of excluded
classes</li><li><code>struts.excludedPackageNamePatterns</code> - patterns used
to exclude packages based on RegEx - this option is slower than simple string
comparison but it's more
flexible</li><li><code>struts.excludedPackageNames</code> - comma-separated
list of excluded packages, it is used with simple string comparison
via <code>startWith</code> and <code>equals</code></li></ul><p>The
defaults are as follow:</p><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><constant name="struts.excludedClasses"
Added: websites/production/struts/content/docs/version-notes-2326.html
==============================================================================
--- websites/production/struts/content/docs/version-notes-2326.html (added)
+++ websites/production/struts/content/docs/version-notes-2326.html Thu Mar 17
08:32:29 2016
@@ -0,0 +1,168 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet"
href="https://struts.apache.org/css/default.css";>
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image:
url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css'
rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css'
rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js'
type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js'
type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>Version Notes 2.3.26</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a
href="guides.html">Guides</a> > <a
href="migration-guide.html">Migration Guide</a> > <a
href="version-notes-2326.html">Version Notes 2.3.26</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search";
method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the
logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left;
margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts
2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">Version
Notes 2.3.26</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px;
margin: 0px;">
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Edit Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305";>Edit
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Browse Space"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW";>Browse
Space</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add Page"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305";>Add
Page</a>
+
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305";>
+ <img
src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif";
+ height="16" width="16" border="0" align="absmiddle"
title="Add News"></a>
+ <a
href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305";>Add
News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts
2.3.26 distribution.</p><p><img class="emoticon emoticon-tick"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png";
data-emoticon-name="tick" alt="(tick)"> For prior notes in this release
series, see <a shape="rect" href="version-notes-2320.html">Version Notes
2.3.20</a></p><ul><li>If you are a Maven user, you might want to get started
using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven
Archetype</a>.</li><li>Another quick-start entry point is the
<strong>blank</strong> application. Rename and deploy the WAR as a starting
point for your own development.</li><li>There is huge number of examples you
can als
o use as a starting point for you application <a shape="rect"
class="external-link" href="https://github.com/apache/struts-examples";
rel="nofollow">here</a></li></ul><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div
class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.26</version>
+</dependency>
+</pre>
+</div></div><p>You can also use Struts Archetype Catalog like below</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>Struts Archetype
Catalog</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: text; gutter: false; theme: Default"
style="font-size:12px;">mvn archetype:generate
-DarchetypeCatalog=http://struts.apache.org/</pre>
+</div></div><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Staging
Repository</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><repositories>
+ <repository>
+ <id>apache.nexus</id>
+ <name>ASF Nexus Staging</name>
+
<url>https://repository.apache.org/content/groups/staging/</url>
+ </repository>
+</repositories></pre>
+</div></div><h2 id="VersionNotes2.3.26-InternalChanges">Internal
Changes</h2><ul><li><img class="emoticon emoticon-warning"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png";
data-emoticon-name="warning" alt="(warning)"> Possible XSS vulnerability
in pages not using UTF-8 was fixed, read more details in <a shape="rect"
href="s2-028.html">S2-028</a></li><li><img class="emoticon emoticon-warning"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png";
data-emoticon-name="warning" alt="(warning)"> Prevents possible RCE when
reusing user input in tag's attributes, see more details in <a
shape="rect" href="s2-029.html">S2-029</a></li><li><img class="emoticon
emoticon-warning"
src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png";
data-emoticon-name="warning"
alt="(warning)"> <code>I18NInterceptor</code> narrows selected locale to
those available in JVM to reduce possibility of another XSS vulnerability, see
more details in <a shape="rect"
href="s2-030.html">S2-030</a></li><li>New <code>Configurationprovider</code>
type was introduced - <a shape="rect"
href="configuration-provider-configuration.html">ServletContextAwareConfigurationProvider</a>,
see <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4410";>WW-4410</a></li><li>Setting
status code in <code>HttpHeaders</code> isn't ignored anymore,
see <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4545";>WW-4545</a></li><li>Spring
<code>BeanPostProcessor(s)</code> are called only once to constructed
objects., see <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4554";>WW-4554</a></li><li>OGNL
was upgraded to vers
ion 3.0.13, see <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4562";>WW-4562</a></li><li>Tiles
2 Plugin was upgraded to latest available Tiles 2 version, see <a
shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4568";>WW-4568</a></li><li>A
dedicated assembly with minimal set of jars was defined, see <a
shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4570";>WW-4570</a></li><li>Struts2
Rest plugin properly handles JSESSIONID with DMI, see <a shape="rect"
class="external-link"
href="https://issues.apache.org/jira/browse/WW-4585";>WW-4585</a></li><li>Improved
the Struts2 Rest plugin to honor Accept header, see <a shape="rect"
class="external-link"
href="https://issues.apache.org/jira/browse/WW-4588";>WW-4588</a></li><li><code>MessageStoreInterceptor</code>
was refactored to use <code>PreResultListener</code> to store
messages, see <a shape="rect" cl
ass="external-link"
href="https://issues.apache.org/jira/browse/WW-4605";>WW-4605</a></li><li>A new
annotation was added to support configuring Tiles -
<code>@TilesDefinition</code>, see <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/WW-4606";>WW-4606</a></li><li>and
many other small improvements, please see the release
notes</li></ul><p> </p><div class="confluence-information-macro
confluence-information-macro-note"><span class="aui-icon aui-icon-small
aui-iconfont-warning confluence-information-macro-icon"></span><div
class="confluence-information-macro-body"><p>This release contains fix related
to <a shape="rect" href="s2-028.html">S2-028</a>, <a shape="rect"
href="s2-029.html">S2-029</a> and <a shape="rect" href="s2-030.html">S2-030</a>
security bulletins, please read it carefully!</p></div></div><h3
id="VersionNotes2.3.26-IssueDetail">Issue Detail</h3><ul><li><a shape="rect"
class="external-link" href="https://issues.apache.org/jira/se
cure/ReleaseNote.jspa?version=12333842&projectId=12311041">JIRA Release
Notes 2.3.26</a></li></ul><h3 id="VersionNotes2.3.26-IssueList">Issue
List</h3><ul><li><a shape="rect" class="external-link"
href="https://issues.apache.org/jira/issues/?filter=12326872";>Struts 2.3.20
DONE</a></li><li><a shape="rect" class="external-link"
href="https://issues.apache.org/jira/issues/?filter=12318399";>Struts 2.3.x
TODO</a></li></ul><h3 id="VersionNotes2.3.26-Otherresources">Other
resources</h3><ul><li><a shape="rect" class="external-link"
href="http://www.mail-archive.com/commits%40struts.apache.org/";
rel="nofollow">Commit Logs</a></li><li><a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop";>Source
Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height:
30.0px;"><br clear="none"></span></div><div><span style="font-size:
24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br cl
ear="none"></span></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
![https://cwiki.apache.org/confluence/images/icons/notep_16.gif"](https://cwiki.apache.org/confluence/images/icons/notep_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/browse_space.gif"](https://cwiki.apache.org/confluence/images/icons/browse_space.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"](https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"){kind=link}
![https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"](https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png"){kind=link}
![https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"](https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"){kind=link}