This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push: new 603e631 Updates production by Jenkins 603e631 is described below commit 603e631e48a1c00ce96ec9170375da7c79b3d592 Author: jenkins <bui...@apache.org> AuthorDate: Tue Mar 27 10:01:19 2018 +0000 Updates production by Jenkins --- content/announce.html | 37 ++++++++++++++++++ content/index.html | 21 ++++------- content/security/index.html | 92 ++++++++++++++++++++++++++++++++------------- 3 files changed, 110 insertions(+), 40 deletions(-) diff --git a/content/announce.html b/content/announce.html index 4d61c2f..18a3ebe 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,7 @@ <h1 class="no_toc" id="announcements-2018">Announcements 2018</h1> <ul id="markdown-toc"> + <li><a href="#a20180323" id="markdown-toc-a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</a></li> <li><a href="#a20180316" id="markdown-toc-a20180316">16 March 2018 - Struts 2.5.16 General Availability</a></li> </ul> @@ -137,6 +138,42 @@ Skip to: <a href="announce-2017.html">Announcements - 2017</a> </p> +<h4 id="a20180323">23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3</h4> + +<p>The Apache Struts Team recommends to immediately upgrade your Struts 2 +based projects to use the latest released version of Commons +FileUpload library, which is currently 1.3.3. This is necessary to +prevent your publicly accessible web site from being exposed to +possible Remote Code Execution attacks (see [1] [2]).</p> + +<p>This affects any Struts version prior to <strong>2.5.12</strong> [3].</p> + +<p>Your project is affected if it uses the built-in file upload mechanism +of Struts 2, which defaults to the use of commons-fileupload. The +updated commons-fileupload library is a drop-in replacement for the +vulnerable version. Deployed applications can be hardened by replacing +the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For +Maven based Struts 2 projects, the following dependency needs to be +added:</p> + +<div class="highlighter-rouge"><pre class="highlight"><code><span class="nt"><dependency></span> + <span class="nt"><groupId></span>commons-fileupload<span class="nt"></groupId></span> + <span class="nt"><artifactId></span>commons-fileupload<span class="nt"></artifactId></span> + <span class="nt"><version></span>1.3.3<span class="nt"></version></span> +<span class="nt"></dependency></span> +</code></pre> +</div> + +<p>More details can be found here:</p> + +<ol> + <li><a href="https://issues.apache.org/jira/browse/FILEUPLOAD-279">https://issues.apache.org/jira/browse/FILEUPLOAD-279</a></li> + <li><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031">https://nvd.nist.gov/vuln/detail/CVE-2016-1000031</a></li> + <li><a href="https://issues.apache.org/jira/browse/WW-4812">https://issues.apache.org/jira/browse/WW-4812</a></li> +</ol> + +<p>All developers are strongly advised to perform this action.</p> + <h4 id="a20180316">16 March 2018 - Struts 2.5.16 General Availability</h4> <p>The Apache Struts group is pleased to announce that Struts 2.5.16 is available as a “General Availability” diff --git a/content/index.html b/content/index.html index 123cfaf..08e39a7 100644 --- a/content/index.html +++ b/content/index.html @@ -162,18 +162,19 @@ <h2>Apache Struts 2.3.34 GA</h2> <p> It's the latest release of Struts 2.3.x which contains the latest security fixes, - read more in <a href="announce.html#a20170907">Announcement</a> or in + read more in <a href="announce-2017.html#a20170907">Announcement</a> or in <a href="/docs/version-notes-2334.html">Version notes</a> </p> </div> </div> <div class="row"> <div class="column col-md-4"> - <h2>Potential RCE vulnerability in the Showcase app</h2> + <h2>Immediately upgrade commons-fileupload to version 1.3.3</h2> <p> - A potential security vulnerability was reported in the Struts 1 plugin used in the Struts 2.3.x series. - Please read more in <a href="/docs/s2-048.html">S2-048</a> or in the official - <a href="announce.html#a20170707">Announcement</a> + The Apache Struts Team recommends to immediately upgrade your Struts 2 + based projects to use the latest released version of Commons + FileUpload library, which is currently 1.3.3. + <a href="announce.html#a20180323">Announcement</a> </p> </div> <div class="column col-md-4"> @@ -181,18 +182,12 @@ <p> The Struts Extras secure Multipart plugins General Availability - versions 1.1, use them to secure your application against critical security vulnerability reported in <a href="/docs/s2-045.html">S2-045</a>, - <a href="/docs/s2-046.html">S2-046</a>, read more in <a href="announce.html#a20170323">Announcement</a> + <a href="/docs/s2-046.html">S2-046</a>, read more in <a href="announce-2017.html#a20170323">Announcement</a> or in <a href="https://github.com/apache/struts-extras">README</a> </p> </div> <div class="column col-md-4"> - <h2>New documentation</h2> - <p> - We have started working on a new documentation, the main task is to port existing Confluence based pages - to Markdown, thus will allow for easier deployment and maintenance. - You can help us by contributing via GitHub <a href="https://github.com/apache/struts-site">struts-site</a> - project. The first migrated part is the <a href="getting-started">Getting started</a> guide. - </p> + <br/> </div> </div> </div> diff --git a/content/security/index.html b/content/security/index.html index 0050ca4..7ccc60f 100644 --- a/content/security/index.html +++ b/content/security/index.html @@ -140,6 +140,7 @@ <li><a href="#use-utf-8-encoding" id="markdown-toc-use-utf-8-encoding">Use UTF-8 encoding</a></li> <li><a href="#do-not-define-setters-when-not-needed" id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters when not needed</a></li> <li><a href="#do-not-use-incoming-values-as-an-input-for-localisation-logic" id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not use incoming values as an input for localisation logic</a></li> + <li><a href="#use-struts-tags-instead-of-raw-el-expressions" id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead of raw EL expressions</a></li> </ul> </li> <li><a href="#internal-security-mechanism" id="markdown-toc-internal-security-mechanism">Internal security mechanism</a> <ul> @@ -153,15 +154,20 @@ <h2 id="security-tips">Security tips</h2> -<p>The Apache Struts 2 doesn’t provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p> +<p>The Apache Struts 2 doesn’t provide any security mechanism - it is just a pure web framework. Below are few tips +you should consider during application development with the Apache Struts 2.</p> <h3 id="restrict-access-to-the-config-browser-plugin">Restrict access to the Config Browser Plugin</h3> -<p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use Basic Authentication or any other security mechanism (e.g. <a href="https://shiro.apache.org/">Apache Shiro</a>)</p> +<p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes internal configuration and should be used only during +development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use +Basic Authentication or any other security mechanism (e.g. <a href="https://shiro.apache.org/">Apache Shiro</a>)</p> <h3 id="dont-mix-different-access-levels-in-the-same-namespace">Don’t mix different access levels in the same namespace</h3> -<p>Very often access to different resources is controlled based on URL patterns, see snippet below. Because of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p> +<p>Very often access to different resources is controlled based on URL patterns, see snippet below. Because of that +you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace +by security level.</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="nt"><security-constraint></span> <span class="nt"><web-resource-collection></span> @@ -177,7 +183,10 @@ <h3 id="never-expose-jsp-files-directly">Never expose JSP files directly</h3> -<p>You must always hide JSP file behind an action, you cannot allow for direct access to the JSP files as this can leads to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files under the <code class="highlighter-rouge">WEB-INF</code> folder - most of the JEE containers restrict access to files placed under the <code class="highlighter-rouge">WEB-INF</code> folder. Second option is to add security constraint to the <code class="highlighter-rouge">web. [...] +<p>You must always hide JSP file behind an action, you cannot allow for direct access to the JSP files as this can leads +to unpredictable security vulnerabilities. You can achieve this by putting all your JSP files under the <code class="highlighter-rouge">WEB-INF</code> folder +- most of the JEE containers restrict access to files placed under the <code class="highlighter-rouge">WEB-INF</code> folder. Second option is to add security +constraint to the <code class="highlighter-rouge">web.xml</code> file:</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="c"><!-- Restricts access to pure JSP files - access available only via Struts action --></span> <span class="nt"><security-constraint></span> @@ -204,8 +213,11 @@ <p>The <code class="highlighter-rouge">devMode</code> is a very useful option during development time, allowing for deep introspection and debugging into you app.</p> -<p>However, in production it exposes your application to be presenting too many informations on application’s internals or to evaluating risky parameter expressions. Please <strong>always disable</strong> <code class="highlighter-rouge">devMode</code> before deploying your application to a production environment. While it is disabled by default, your -<code class="highlighter-rouge">struts.xml</code> might include a line setting it to <code class="highlighter-rouge">true</code>. The best way is to ensure the following setting is applied to our <code class="highlighter-rouge">struts.xml</code> for production deployment:</p> +<p>However, in production it exposes your application to be presenting too many informations on application’s internals +or to evaluating risky parameter expressions. Please <strong>always disable</strong> <code class="highlighter-rouge">devMode</code> before deploying your application +to a production environment. While it is disabled by default, your +<code class="highlighter-rouge">struts.xml</code> might include a line setting it to <code class="highlighter-rouge">true</code>. The best way is to ensure the following setting is applied +to our <code class="highlighter-rouge">struts.xml</code> for production deployment:</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="nt"><constant</span> <span class="na">name =</span><span class="s">"struts.devMode"</span> <span class="na">value=</span><span class="s">"false"</span> <span class="nt">/></span> </code></pre> @@ -213,7 +225,9 @@ <h3 id="reduce-logging-level">Reduce logging level</h3> -<p>It’s a good practice to reduce logging level from <strong>DEBUG</strong> to <strong>INFO</strong> or less. Framework’s classes can produce a lot of logging entries which will pollute the log file. You can even set logging level to <strong>WARN</strong> for classes that belongs to the framework, see example Log4j2 configuration:</p> +<p>It’s a good practice to reduce logging level from <strong>DEBUG</strong> to <strong>INFO</strong> or less. Framework’s classes can produce + a lot of logging entries which will pollute the log file. You can even set logging level to <strong>WARN</strong> for classes that + belongs to the framework, see example Log4j2 configuration:</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span> <span class="nt"><Configuration></span> @@ -235,19 +249,26 @@ <h3 id="use-utf-8-encoding">Use UTF-8 encoding</h3> -<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p> +<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following +header to each JSP file</p> <pre><code class="language-jsp"><%@ page contentType="text/html; charset=UTF-8" %> </code></pre> <h3 id="do-not-define-setters-when-not-needed">Do not define setters when not needed</h3> -<p>You should carefully design your actions without exposing anything via setters and getters, thus can leads to potential security vulnerabilities. Any action’s setter can be used to set incoming untrusted user’s value which can contain suspicious expression. Some Struts <code class="highlighter-rouge">Result</code>s automatically populate params based on values in -<code class="highlighter-rouge">ValueStack</code> (action in most cases is the root) which means incoming value will be evaluated as an expression during this process.</p> +<p>You should carefully design your actions without exposing anything via setters and getters, thus can leads to potential +security vulnerabilities. Any action’s setter can be used to set incoming untrusted user’s value which can contain +suspicious expression. Some Struts <code class="highlighter-rouge">Result</code>s automatically populate params based on values in +<code class="highlighter-rouge">ValueStack</code> (action in most cases is the root) which means incoming value will be evaluated as an expression during +this process.</p> <h3 id="do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not use incoming values as an input for localisation logic</h3> -<p>All <code class="highlighter-rouge">TextProvider</code>’s <code class="highlighter-rouge">getText(...)</code> methods (e.g. in<code class="highlighter-rouge">ActionSupport</code>) perform evaluation of parameters included in a message to properly localize the text. This means using incoming request parameters with <code class="highlighter-rouge">getText(...)</code> methods is potentially dangerous and should be avoided. See example below, assuming that an action implements getter and [...] +<p>All <code class="highlighter-rouge">TextProvider</code>’s <code class="highlighter-rouge">getText(...)</code> methods (e.g. in<code class="highlighter-rouge">ActionSupport</code>) perform evaluation of parameters included in a message +to properly localize the text. This means using incoming request parameters with <code class="highlighter-rouge">getText(...)</code> methods is potentially +dangerous and should be avoided. See example below, assuming that an action implements getter and setter for property +<code class="highlighter-rouge">message</code>, the below code allows inject an OGNL expression:</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="kd">public</span> <span class="n">String</span> <span class="nf">execute</span><span class="p">(</span><span class="o">)</span> <span class="kd">throws</span> <span class="n">Exception</span> <span class="o">{</span> <span class="n">setMessage</span><span class="o">(</span><span class="n">getText</span><span class="o">(</span><span class="n">getMessage</span><span class="o">()));</span> @@ -258,22 +279,27 @@ <p>Never use value of incoming request parameter as part of your localization logic.</p> +<h3 id="use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead of raw EL expressions</h3> + +<p>JSP EL doesn’t perform any kind of escaping, you must perform this using a dedicated function, see <a href="https://stackoverflow.com/a/6135001/1805267">this example</a>. +Never use a raw <code class="highlighter-rouge">${}</code> EL expression on incoming values as this can lead to injecting a malicious code into the page.</p> + +<p>The safest option is to use Struts Tags instead.</p> + <h2 id="internal-security-mechanism">Internal security mechanism</h2> -<p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it’s a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions used in JSPs, etc.</p> +<p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - +it’s a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions +used in JSPs, etc.</p> <p>There are three options that can be used to configure excluded packages and classes:</p> <ul> - <li> - <p><code class="highlighter-rouge">struts.excludedClasses</code> - comma-separated list of excluded classes</p> - </li> - <li> - <p><code class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns used to exclude packages based on RegEx - this option is slower than simple string comparison but it’s more flexible</p> - </li> - <li> - <p><code class="highlighter-rouge">struts.excludedPackageNames</code> - comma-separated list of excluded packages, it is used with simple string comparison via <code class="highlighter-rouge">startWith</code> and <code class="highlighter-rouge">equals</code></p> - </li> + <li><code class="highlighter-rouge">struts.excludedClasses</code> - comma-separated list of excluded classes</li> + <li><code class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns used to exclude packages based on RegEx - this option is slower than +simple string comparison but it’s more flexible</li> + <li><code class="highlighter-rouge">struts.excludedPackageNames</code> - comma-separated list of excluded packages, it is used with simple string comparison +via <code class="highlighter-rouge">startWith</code> and <code class="highlighter-rouge">equals</code></li> </ul> <p>The defaults are as follow:</p> @@ -296,17 +322,20 @@ </code></pre> </div> -<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used to create a new instance of class (inside JSP) - it’s blocked because <code class="highlighter-rouge">target</code> of such expression is evaluated to <code class="highlighter-rouge">java.lang.Class</code></p> +<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used to create a new instance of class (inside JSP) - it’s blocked because <code class="highlighter-rouge">target</code> +of such expression is evaluated to <code class="highlighter-rouge">java.lang.Class</code></p> <p>It is possible to redefine the above constants in struts.xml but try to avoid this and rather change design of your application!</p> <h3 id="accessing-static-methods">Accessing static methods</h3> -<p>Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application to avoid further problems! Please check <a href="https://issues.apache.org/jira/browse/WW-4348">WW-4348</a>.</p> +<p>Support for accessing static methods from expression will be disabled soon, please consider re-factoring your application +to avoid further problems! Please check <a href="https://issues.apache.org/jira/browse/WW-4348">WW-4348</a>.</p> <h3 id="ognl-is-used-to-call-actions-methods">OGNL is used to call action’s methods</h3> -<p>This can impact actions which have large inheritance hierarchy and use the same method’s name throughout the hierarchy, this was reported as an issue <a href="https://issues.apache.org/jira/browse/WW-4405">WW-4405</a>. See the example below:</p> +<p>This can impact actions which have large inheritance hierarchy and use the same method’s name throughout the hierarchy, +this was reported as an issue <a href="https://issues.apache.org/jira/browse/WW-4405">WW-4405</a>. See the example below:</p> <div class="highlighter-rouge"><pre class="highlight"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">RealAction</span> <span class="kd">extends</span> <span class="n">BaseAction</span> <span class="o">{</span> <span class="nd">@Action</span><span class="o">(</span><span class="s">"save"</span><span class="o">)</span> @@ -331,15 +360,24 @@ </code></pre> </div> -<p>In such case OGNL cannot properly map which method to call when request is coming. This is do the OGNL limitation. To solve the problem don’t use the same method’s names through the hierarchy, you can simply change the action’s method from <code class="highlighter-rouge">save()</code> to <code class="highlighter-rouge">saveAction()</code> and leaving annotation as is to allow call this action via <code class="highlighter-rouge">/save.action</code> request.</p> +<p>In such case OGNL cannot properly map which method to call when request is coming. This is do the OGNL limitation. +To solve the problem don’t use the same method’s names through the hierarchy, you can simply change the action’s method +from <code class="highlighter-rouge">save()</code> to <code class="highlighter-rouge">saveAction()</code> and leaving annotation as is to allow call this action via <code class="highlighter-rouge">/save.action</code> request.</p> <h3 id="accepted--excluded-patterns">Accepted / Excluded patterns</h3> -<p>As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names and values - <a href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a> and <a href="https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a> with default implementations. These two interfaces are [...] +<p>As from version 2.3.20 the framework provides two new interfaces which are used to accept / exclude param names +and values - <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a> +and <a href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a> +with default implementations. These two interfaces are used by <a href="../core-developers/parameters-interceptor.html">Parameters Interceptor</a> +and <a href="../core-developers/cookie-interceptor.html">Cookie Interceptor</a> to check if param can be accepted or must be excluded. +If you were using <code class="highlighter-rouge">excludeParams</code> previously please compare patterns used by you with these provided by the framework in default implementation.</p> <h3 id="strict-method-invocation">Strict Method Invocation</h3> -<p>This mechanism was introduced in version 2.5. It allows control what methods can be accessed with the bang “!” operator via <a href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic Method Invocation</a>. Please read more in Strict Method Invocation section of <a href="../core-developers/action-configuration.html">Action Configuration</a>.</p> +<p>This mechanism was introduced in version 2.5. It allows control what methods can be accessed with the bang “!” operator +via <a href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic Method Invocation</a>. Please read +more in the Strict Method Invocation section of <a href="../core-developers/action-configuration.html">Action Configuration</a>.</p> </section> </article> -- To stop receiving notification emails like this one, please contact git-site-r...@apache.org.