[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rene Gielen updated WW-3873:
----------------------------
Comment: was deleted
(was: I will be out of the office until July 5th
On Jul 5, 2013, at 7:32 AM, "nathan.comst...@wellsfargo.com (JIRA)"
<j...@apache.org>
wrote:
[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700844#comment-13700844
]
nathan.comst...@wellsfargo.com commented on WW-3873:
----------------------------------------------------
I will be out of the office until July 5th
On Jul 5, 2013, at 7:28 AM, "nathan.comst...@wellsfargo.com (JIRA)"
<j...@apache.org>
wrote:
[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700810#comment-13700810
]
nathan.comst...@wellsfargo.com commented on WW-3873:
----------------------------------------------------
I will be out of the office until July 5th
On Jul 5, 2013, at 7:24 AM, "nathan.comst...@wellsfargo.com (JIRA)"
<j...@apache.org>
wrote:
[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700773#comment-13700773
]
nathan.comst...@wellsfargo.com commented on WW-3873:
----------------------------------------------------
I will be out of the office until July 5th
On Jul 5, 2013, at 7:21 AM, "nathan.comst...@wellsfargo.com (JIRA)"
<j...@apache.org>
wrote:
[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13700729#comment-13700729
]
nathan.comst...@wellsfargo.com commented on WW-3873:
----------------------------------------------------
I will be out of the office until July 5th
On Jul 5, 2013, at 1:29 AM, "Rene Gielen (JIRA)" <j...@apache.org>
wrote:
[
https://issues.apache.org/jira/browse/WW-3873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rene Gielen updated WW-3873:
----------------------------
Assignee: Rene Gielen
file tag leaks server path information
--------------------------------------
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4, 2.3.4.1
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Assignee: Rene Gielen
Priority: Minor
Fix For: 2.3.16
Attachments: file-leak.png
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
file tag leaks server path information
--------------------------------------
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4, 2.3.4.1
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Assignee: Rene Gielen
Priority: Minor
Fix For: 2.3.16
Attachments: file-leak.png
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
file tag leaks server path information
--------------------------------------
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4, 2.3.4.1
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Assignee: Rene Gielen
Priority: Minor
Fix For: 2.3.16
Attachments: file-leak.png
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
file tag leaks server path information
--------------------------------------
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4, 2.3.4.1
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Assignee: Rene Gielen
Priority: Minor
Fix For: 2.3.16
Attachments: file-leak.png
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
file tag leaks server path information
--------------------------------------
Key: WW-3873
URL: https://issues.apache.org/jira/browse/WW-3873
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.3.4, 2.3.4.1
Environment: Linux, weblogic 10-12, tomcat 7
Reporter: Cam Morris
Assignee: Rene Gielen
Priority: Minor
Fix For: 2.3.16
Attachments: file-leak.png
After a fileupload action, if the result jsp contains a <s:file> tag the value
attribute is filled in with the server path where the file was saved. This
discloses file system information about the server.
To duplicate:
1) setup the struts2_showcase sample app
2) change struts-fileupload.xml from this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload-success.jsp</result>
</action>
{code}
to this
{code}
<action name="doUpload"
class="org.apache.struts2.showcase.fileupload.FileUploadAction" method="upload">
<result name="input">upload.jsp</result>
<result>upload.jsp</result>
</action>
{code}
3. Deploy & Upload file using the url struts2-showcase/fileupload/upload.action
4. View source, in the input tag generated by the s:file tag you'll see the
full path to the file that was uploaded.
{code}
<input type="file" name="upload"
value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
id="doUpload_upload"/>
{code}
Workaround:
A workaround is simple, just add an empty value attribute to the file tag:
{code}
<s:file name="upload" label="File" value=""/>
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
)
> file tag leaks server path information
> --------------------------------------
>
> Key: WW-3873
> URL: https://issues.apache.org/jira/browse/WW-3873
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.4, 2.3.4.1
> Environment: Linux, weblogic 10-12, tomcat 7
> Reporter: Cam Morris
> Assignee: Rene Gielen
> Priority: Minor
> Fix For: 2.3.16
>
> Attachments: file-leak.png
>
>
> After a fileupload action, if the result jsp contains a <s:file> tag the
> value attribute is filled in with the server path where the file was saved.
> This discloses file system information about the server.
> To duplicate:
> 1) setup the struts2_showcase sample app
> 2) change struts-fileupload.xml from this
> {code}
> <action name="doUpload"
> class="org.apache.struts2.showcase.fileupload.FileUploadAction"
> method="upload">
> <result name="input">upload.jsp</result>
> <result>upload-success.jsp</result>
> </action>
> {code}
> to this
> {code}
> <action name="doUpload"
> class="org.apache.struts2.showcase.fileupload.FileUploadAction"
> method="upload">
> <result name="input">upload.jsp</result>
> <result>upload.jsp</result>
> </action>
> {code}
> 3. Deploy & Upload file using the url
> struts2-showcase/fileupload/upload.action
> 4. View source, in the input tag generated by the s:file tag you'll see the
> full path to the file that was uploaded.
> {code}
> <input type="file" name="upload"
> value="/home/cmorris/Workspace/struts2-examples/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/work/Catalina/localhost/struts2-showcase/upload__1bd5a0ad_13997105f96__8000_00000002.tmp"
> id="doUpload_upload"/>
> {code}
>
> Workaround:
> A workaround is simple, just add an empty value attribute to the file tag:
> {code}
> <s:file name="upload" label="File" value=""/>
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
