[
https://issues.apache.org/jira/browse/WW-4774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15942289#comment-15942289
]
upendar commented on WW-4774:
-----------------------------
Thanks for reproducing the issue ; I did verify the struts logs and its
relative path. Could you please share the solution with code fix as we are
completely blocked and investigating the issue for the past 3 days and still
investigation going .
Also just wanted to share the observation, we initially tried upgrade struts
version from 2.3.1 to 2.3.32 to resolve below issue . we found redirect issue
and also still the below vulnerability is not resolved. Then we upgraded to
2.5.10.1 then redirect issue is still open. Not sure why 2.3.32 not resolved
vulnerability issue.
Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with
2.5.10.1.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG
org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) -
[/account/viewdashboard] isn't ab
solute URI, assuming it's a path
20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG
org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) - Redirecting
to finalLocation
/core/account/viewdashboard?uar=XXX&accountId=XXXX
> Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP
> ------------------------------------------------------------------
>
> Key: WW-4774
> URL: https://issues.apache.org/jira/browse/WW-4774
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.5.10
> Reporter: upendar
> Priority: Critical
> Fix For: 2.5.next
>
>
> We are upgrading Struts2 from 2.3.1 to 2.5.10.1 ; redirect making https://
> to http:// . The following errors in chrome and IE are seen while redirecting
> from the popup to main window
> redirecting popup (create user) --- main window (viewdashboard) - the URL
> shows https:// to http://
> We are blocked completely due to this issue and need support ASAP. We also
> reviewed the apache server configurations and looks good. Please share the
> fix in detail.
> Error Issue in chrome :
> Mixed Content: The page at
> 'https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44' was loaded over HTTPS,
> but requested an insecure XMLHttpRequest endpoint
> 'http://XXX/XX/XX/viewdashboard?uar=44&Id=1'. This request has been blocked;
> the content must be served over HTTPS.
> Issue in IE
> SEC7127: Redirect was blocked for CORS request.
> File: account
> SCRIPT7002: XMLHttpRequest: Network Error 0x2ef1, Could not complete the
> operation due to error 00002ef1.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
