DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-04-12 15:21 --- (In reply to comment #19) This DoS problem has the deep effect. I think that struts team should release the fixed binary of all 1.2.X ( 1.1?) versions. We have four 1.2.x GA versions (1.2.4, 1.2.7, 1.2.8 and 1.2.9) - is there any reason why people using earlier 1.2.x GA releases can't upgrade to 1.2.9? Since Struts 1.2.9 only just got the bare minimum of 3 votes to release 1.2.9 it seems pretty certain to me that there will be no other releases of earlier patched versions of struts for this issue. Even if we *should* do it, it needs willing committers to want to do it. I don't have any such interest and no-one else has shown any signs of doing so either. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-04-08 08:38 --- (In reply to comment #1) I guess the simplest solution is to change RequestUtil's populate method to ignore parameters starting with multipartRequestHandler. Is this problem specific to Struts or will it affect other frameworks/applications that use BeanUtils 1.7 ? Isn't there another list for discussing security related issues ?. Regards, Anto Paul -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-04-07 16:32 --- This DoS problem has the deep effect. I think that struts team should release the fixed binary of all 1.2.X( 1.1?) versions. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-03-09 04:19 --- Spotted a problem with this change - if the max file size is exceeded, the MultipartRequestHandler in the ActionForm is missing - corrected in the trunk and 1.2.x branch: http://svn.apache.org/viewcvs?rev=384421view=rev http://svn.apache.org/viewcvs?rev=384422view=rev -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DOS attack issue [Was: DO NOT REPLY [Bug 38534] - DOS attack, application hack]
Just wanted to comment that I've submitted a unit test for the DOS attack bug (1.2.x branch) to the unclosed issue, hope it's of use. My day job involves supporting 1.2.x and being able to volunteer time on serious legacy issues, so hopefully I'll be pestering you all a bit more as time goes by :) Very impressed with the -user and -dev responses to the CANCEL bug by the way. Some of the Struts committers I met at ApacheCon had praised the health of the Struts community, but this is the first time I'd seen it in action. Hen On 2/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-15 23:37 --- Created an attachment (id=17709) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=17709action=view) Unit Test patch to test issue 38534 Attached is a patch containing a unit test for issue 38534. In particular it contains the unit test, a class for use in the unit test, a MockMultipartRequestHandler, improvements to the MockHttpServletRequest and the necessary additions to the build-tests.xml and project.xml to run the test. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-22 04:34 --- (In reply to comment #14) Thanks for the test case and new mock MultipartRequestHandler - I applied a slighty modified version of the test and made some other cosmetic changes to keep in line with the current trunk. http://svn.apache.org/viewcvs?rev=379660view=rev -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2006-02-22 04:35 --- Ported the fix for this bug to the current trunk (1.3.x series), including the test case and mock object provided by Henri http://svn.apache.org/viewcvs?rev=379661view=rev Closing as FIXED -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-15 23:37 --- Created an attachment (id=17709) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=17709action=view) Unit Test patch to test issue 38534 Attached is a patch containing a unit test for issue 38534. In particular it contains the unit test, a class for use in the unit test, a MockMultipartRequestHandler, improvements to the MockHttpServletRequest and the necessary additions to the build-tests.xml and project.xml to run the test. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-15 23:39 --- Patch created against the 1.2 branch - apologies for not mentioning that. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-15 05:04 --- Fixed in the 1.2.x branch: http://svn.apache.org/viewcvs?rev=377929view=rev -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 17:12 --- So you don't want to patch 1.2? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-10 20:11 --- Do we want to depreciate the method for 1.3.0, then? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 00:24 --- I guess the simplest solution is to change RequestUtil's populate method to ignore parameters starting with multipartRequestHandler. I've encountered problems like this on all forms. Struts blindly populates the form with any matching request parameter, but many people also populate forms to contain the output data. This data the form should never populate. If we take this particular problem and generalize it, Struts should contain some sort of hook that allows a form to list which properties it should NEVER populate. As with all hooks, it should be extensible and customizable. This could be a callback in a form which returns a map of property names with regex capabilities. Any other suggestions? If not a callback on the form to retrieve a map, what else could we do? I am very interested in this problem too since it affects me with other classes and I try to actively solve this defect. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 00:41 --- (In reply to comment #2) Do we want to depreciate the method for 1.3.0, then? The only place its referenced in Struts is in the RequestProcessor's processValidate() method and the corresponding Command (ValidateActionForm) which call the MultipartRequestHandler's rollback() method in the event of validation errors. If we can provide another mechanism to get hold of the MultipartRequestHandler (cache it in the request?) then that should resolve that. On an interesting aside - the CommonsMultipartRequestHandler has a finish() method - which calls rollback() to clean up - the comment on the method says Cleans up at the end of a request - but I can't see thats its called anywhere. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 00:43 --- (In reply to comment #3) I've encountered problems like this on all forms. Struts blindly populates the form with any matching request parameter, but many people also populate forms to contain the output data. This data the form should never populate. If we take this particular problem and generalize it, Struts should contain some sort of hook that allows a form to list which properties it should NEVER populate. You can set a prefix and/or suffix on the action mapping to control which parameters are populated. Does that not satisfy this? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 02:59 --- Niall, maybe you can clarify. If the action has a prefix of pre, what happens? Does that mean the form properties must all begin with pre? Or if I say html:text name=foo it outputs input name=prefoo/ ? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 03:08 --- Say you have the following in youe struts-config.xml: action path=... type=... prefix=myBean. suffix=.populate ... /action And you had a field on your form... input type=text name=myBean.customerName.populate / Then struts will only populate parameters that start with myBean. and end with .populate and it strips off the suffix and prefix - so it will try and populate a property named customerName on your ActionForm in this example. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 03:36 --- No you're probably right - if someone guesses the prefix/suffix that are being used from other form properties they can still hack around it myBean.multipartRequestHandler.servlet.servletContext.attribute.populate but they would have to guess that prefix/suffixes we're being used -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 03:48 --- In Struts 2.x, I would advocate Java 5 annotations to say which properties are populatable (if that's a word). Since 2.x marries the form/action together and in a POJO, I could see more people taking interest in preventing this kind of behavior. For the 1.x branch, I think the easiest solution is to create a blacklist of properties to avoid (getPropertyBlackList)... or a white list (getPropertyWhiteList). Hey, I like developer options. I have think there is a need for these things -- both are purely optional and can be used either to say null, some properties, a single everything element (wildcard asterik). Or we could go more into details such as saying what level of nesting is appropriate. Perhaps I only want to limit to one-level; that would solve the problem attached to this ticket. Summary: [1] Whitelist of properties [2] Blacklist of properties [3] Annotations [4] Nesting level -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 38534] - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=38534. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 --- Additional Comments From [EMAIL PROTECTED] 2006-02-11 07:03 --- Changing / customizing the form population mechanism will be much easier if the multipart changes I just proposed are implemented - see Bug 38613. If you look at the changes proposed to AbstractPopulateActionForm it no longer uses RequestUtils.populate (just calls BeanUtils.populate() directly and its in a new method that can be easily overriden: protected void populate(ActionContext context, Map properties, ActionForm actionForm) throws Exception { // Populate the Form BeanUtils.populate(actionForm, properties); } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]