[VOTE] Struts 2.3.26

[Lukasz Lenart]

The Apache Struts 2.3.26 test build is now available. With this release:
- Possible XSS vulnerability in pages not using UTF-8 was fixed, read
more details in S2-028
- Prevents possible RCE when reusing user input in tag's attributes,
see more details in S2-029
- I18NInterceptor narrows selected locale to those available in JVM to
reduce possibility of another XSS vulnerability, see more details in
S2-030
- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606

and few other small improvements, please see the release notes

Security note:
This release fixes three potential security vulnerabilities as
mentioned in the Version Notes

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.26/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 72 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.


Kind regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

PS. I will close the vote sooner if there be at least 3x +1 binding votes

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[VOTE] Struts 2.3.27

[Lukasz Lenart]

This is a third call in row with tiny fix discovered during test
period so I'm going to speed things up as there are three security
bulletins addressed with this release.

The Apache Struts 2.3.26 test build is now available. With this release:
- Possible XSS vulnerability in pages not using UTF-8 was fixed, read
more details in S2-028
- Prevents possible RCE when reusing user input in tag's attributes,
see more details in S2-029
- I18NInterceptor narrows selected locale to those available in JVM to
reduce possibility of another XSS vulnerability, see more details in
S2-030
- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606

and few other small improvements, please see the release notes

Security note:
This release fixes three potential security vulnerabilities as
mentioned in the Version Notes

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.27

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.27/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 24 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.


Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.26

[Johannes Geppert]

> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)

+1 (binding)

Best Regards

Johannes

#
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep


2016-03-17 18:28 GMT+01:00 Lukasz Lenart :

> 2016-03-16 18:05 GMT+01:00 Lukasz Lenart :
> > [ ] Leave at test build
> > [ ] Alpha
> > [ ] Beta
> > [X] General Availability (GA)
>
> +1 (binding)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.27

[Greg Huber]

No other choice, as I would rather have my interceptors working.

quick fix, could leave it in both methods and call it only if
preResultListeners != null? Fix it in properly struts next.

On 18 March 2016 at 14:04, Lukasz Lenart  wrote:

> I see no other way just revert that change and change that was
> introduced to fix the original issue
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2016-03-18 14:26 GMT+01:00 Greg Huber :
> > Sorry forget the last email, its rubbish.  Won't work. Thought the code
> was
> > part of the mod, which it is not.
> >
> > On 18 March 2016 at 11:45, Lukasz Lenart 
> wrote:
> >
> >> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> >> > I have tested it without the change (to DefaultActionInvocation) and
> the
> >> > messages work on the redirects. Unless it is confirmed that it is
> >> required
> >> > ie it does not work in its original position, its best not to change
> >> such a
> >> > key program.  In my opinion.
> >>
> >> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
> >> STORE mode?
> >> This change is needed to allow AUTOMATIC mode to work with redirects
> >>
> >>
> >>
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> >> For additional commands, e-mail: dev-h...@struts.apache.org
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.26

[Greg Huber]

>From page

https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26

These cannot be read as it wants a login?

S2-029

and S2-030


On 16 March 2016 at 17:05, Lukasz Lenart  wrote:

> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see
> WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.26/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 72 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> PS. I will close the vote sooner if there be at least 3x +1 binding votes
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Build failed in Jenkins: Struts-JDK8-master #111

[Apache Jenkins Server]

See 

--
Started by an SCM change
[EnvInject] - Loading node environment variables.
Building remotely on H11 (docker Ubuntu ubuntu yahoo-not-h2) in workspace 

 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url http://git.apache.org/struts.git # timeout=10
Fetching upstream changes from http://git.apache.org/struts.git
 > git --version # timeout=10
 > git -c core.askpass=true fetch --tags --progress 
 > http://git.apache.org/struts.git +refs/heads/*:refs/remotes/origin/*
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision 88526180375f958ea57eceedb3017f4b7637ef68 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 88526180375f958ea57eceedb3017f4b7637ef68
 > git rev-list 88526180375f958ea57eceedb3017f4b7637ef68 # timeout=10
[locks-and-latches] Checking to see if we really have the locks
[locks-and-latches] Have all the locks, build can start
Parsing POMs
Modules changed, recalculating dependency graph
Established TCP socket on 52990
maven32-agent.jar already up to date
maven32-interceptor.jar already up to date
maven3-interceptor-commons.jar already up to date
[Struts-JDK8-master] $ /bin/java -Xms128m -Xmx768m -XX:MaxPermSize=256m 
-XX:PermSize=128m -cp 
/home/jenkins/jenkins-slave/maven32-agent.jar:/home/jenkins/jenkins-slave/tools/hudson.tasks.Maven_MavenInstallation/maven-3.2.5/boot/plexus-classworlds-2.5.2.jar:/home/jenkins/jenkins-slave/tools/hudson.tasks.Maven_MavenInstallation/maven-3.2.5/conf/logging
 jenkins.maven3.agent.Maven32Main 
/home/jenkins/jenkins-slave/tools/hudson.tasks.Maven_MavenInstallation/maven-3.2.5
 /home/jenkins/jenkins-slave/slave.jar 
/home/jenkins/jenkins-slave/maven32-interceptor.jar 
/home/jenkins/jenkins-slave/maven3-interceptor-commons.jar 52990
[locks-and-latches] Releasing all the locks
[locks-and-latches] All the locks released
ERROR: Failed to parse POMs
java.io.IOException: Cannot run program "/bin/java" (in directory 
": error=2, No such 
file or directory
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1041)
at hudson.Proc$LocalProc.(Proc.java:244)
at hudson.Proc$LocalProc.(Proc.java:216)
at hudson.Launcher$LocalLauncher.launch(Launcher.java:815)
at hudson.Launcher$ProcStarter.start(Launcher.java:381)
at hudson.Launcher$RemoteLaunchCallable.call(Launcher.java:1148)
at hudson.Launcher$RemoteLaunchCallable.call(Launcher.java:1113)
at hudson.remoting.UserRequest.perform(UserRequest.java:120)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:326)
at 
hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
at ..remote call to H11(Native Method)
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1416)
at hudson.remoting.UserResponse.retrieve(UserRequest.java:220)
at hudson.remoting.Channel.call(Channel.java:781)
at hudson.Launcher$RemoteLauncher.launch(Launcher.java:928)
at hudson.Launcher$ProcStarter.start(Launcher.java:381)
at 
hudson.maven.AbstractMavenProcessFactory.newProcess(AbstractMavenProcessFactory.java:281)
at hudson.maven.ProcessCache.get(ProcessCache.java:236)
at 
hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:778)
at 
hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
at hudson.model.Run.execute(Run.java:1738)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:410)
Caused by: java.io.IOException: error=2, No such file or directory
at java.lang.UNIXProcess.forkAndExec(Native Method)
at java.lang.UNIXProcess.(UNIXProcess.java:186)
at java.lang.ProcessImpl.start(ProcessImpl.java:130)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:1022)
at hudson.Proc$LocalProc.(Proc.java:244)
at hudson.Proc$LocalProc.(Proc.java:216)
at hudson.Launcher$LocalLauncher.launch(Launcher.java:815)
at hudson.Launcher$ProcStarter.start(Launcher.java:381)
at hudson.Launcher$Rem

Build failed in Jenkins: Struts-JDK7-master #445

[Apache Jenkins Server]

See 

--
[...truncated 2066 lines...]
Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Re: [VOTE] Struts 2.3.27

[Lukasz Lenart]

That may work out :) Let me finish with grass and I will dig into this :)

(mobile)
18 mar 2016 16:38 "Greg Huber"  napisał(a):

> The reason why its not working it needs to know whether it is an
> instanceof ServletRedirectResult in MessageStorePreResultListener.
>
> Rather than use the result (which do do not have) a possible solution is to
> construct what its looking for from the invocation and the use an equals.
>
>
> Map results =
> ((DefaultActionInvocation)invocation).getProxy().getConfig().getResults();
>
> ResultConfig resultConfig = null;
>
> try {
> resultConfig = results.get(resultCode);
> } catch (NullPointerException e) {
> LOG.debug("Got NPE trying to read result configuration for
> resultCode [{}]", resultCode);
> }
>
> boolean isRedirect = false;
> try {
> //isRedirect = invocation.getResult() instanceof
> ServletRedirectResult;
> isRedirect =
>
> "org.apache.struts2.result.ServletRedirectResult".equals(resultConfig.getClassName());
> } catch (Exception e) {
> LOG.warn("Cannot read result!", e);
> }
>
>
>
>
>
>
>
>
>
> On 18 March 2016 at 14:04, Lukasz Lenart  wrote:
>
> > I see no other way just revert that change and change that was
> > introduced to fix the original issue
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > 2016-03-18 14:26 GMT+01:00 Greg Huber :
> > > Sorry forget the last email, its rubbish.  Won't work. Thought the code
> > was
> > > part of the mod, which it is not.
> > >
> > > On 18 March 2016 at 11:45, Lukasz Lenart 
> > wrote:
> > >
> > >> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> > >> > I have tested it without the change (to DefaultActionInvocation) and
> > the
> > >> > messages work on the redirects. Unless it is confirmed that it is
> > >> required
> > >> > ie it does not work in its original position, its best not to change
> > >> such a
> > >> > key program.  In my opinion.
> > >>
> > >> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
> > >> STORE mode?
> > >> This change is needed to allow AUTOMATIC mode to work with redirects
> > >>
> > >>
> > >>
> >
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
> > >>
> > >>
> > >> Regards
> > >> --
> > >> Łukasz
> > >> + 48 606 323 122 http://www.lenart.org.pl/
> > >>
> > >> -
> > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > >> For additional commands, e-mail: dev-h...@struts.apache.org
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > For additional commands, e-mail: dev-h...@struts.apache.org
> >
> >
>

Build failed in Jenkins: Struts-JDK7-master #446

[Apache Jenkins Server]

See 

--
[...truncated 3892 lines...]
Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Generating 

Re: [VOTE] Struts 2.3.26

[Aleksandr Mashchenko]

+1 not binding

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)

---
Regards,
Aleksandr

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[CANCELED] Re: [VOTE] Struts 2.3.27

[Lukasz Lenart]

I will call for another vote soon

2016-03-18 10:01 GMT+01:00 Lukasz Lenart :
> This is a third call in row with tiny fix discovered during test
> period so I'm going to speed things up as there are three security
> bulletins addressed with this release.
>
> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.27
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.27/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/



-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.27

[Lukasz Lenart]

I see no other way just revert that change and change that was
introduced to fix the original issue


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2016-03-18 14:26 GMT+01:00 Greg Huber :
> Sorry forget the last email, its rubbish.  Won't work. Thought the code was
> part of the mod, which it is not.
>
> On 18 March 2016 at 11:45, Lukasz Lenart  wrote:
>
>> 2016-03-18 12:29 GMT+01:00 Greg Huber :
>> > I have tested it without the change (to DefaultActionInvocation) and the
>> > messages work on the redirects. Unless it is confirmed that it is
>> required
>> > ie it does not work in its original position, its best not to change
>> such a
>> > key program.  In my opinion.
>>
>> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
>> STORE mode?
>> This change is needed to allow AUTOMATIC mode to work with redirects
>>
>>
>> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>> For additional commands, e-mail: dev-h...@struts.apache.org

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.27

[Greg Huber]

OK.  Have tested it.

bit tidier ... based on DefaultActionInvocation!

Map results = null;
ResultConfig resultConfig = null;

try {

results = invocation.getProxy().getConfig().getResults();
resultConfig = results.get(resultCode);

} catch (NullPointerException e) {
LOG.debug("Got NPE trying to read result configuration for
resultCode [{}]", resultCode);
}

boolean isRedirect = false;
try {
// isRedirect = invocation.getResult() instanceof
ServletRedirectResult;
isRedirect =
ServletRedirectResult.class.getName().equals(resultConfig.getClassName());
} catch (Exception e) {
LOG.warn("Cannot read result configuration!", e);
}



On 18 March 2016 at 16:57, Lukasz Lenart  wrote:

> That may work out :) Let me finish with grass and I will dig into this :)
>
> (mobile)
> 18 mar 2016 16:38 "Greg Huber"  napisał(a):
>
> > The reason why its not working it needs to know whether it is an
> > instanceof ServletRedirectResult in MessageStorePreResultListener.
> >
> > Rather than use the result (which do do not have) a possible solution is
> to
> > construct what its looking for from the invocation and the use an equals.
> >
> >
> > Map results =
> >
> ((DefaultActionInvocation)invocation).getProxy().getConfig().getResults();
> >
> > ResultConfig resultConfig = null;
> >
> > try {
> > resultConfig = results.get(resultCode);
> > } catch (NullPointerException e) {
> > LOG.debug("Got NPE trying to read result configuration for
> > resultCode [{}]", resultCode);
> > }
> >
> > boolean isRedirect = false;
> > try {
> > //isRedirect = invocation.getResult() instanceof
> > ServletRedirectResult;
> > isRedirect =
> >
> >
> "org.apache.struts2.result.ServletRedirectResult".equals(resultConfig.getClassName());
> > } catch (Exception e) {
> > LOG.warn("Cannot read result!", e);
> > }
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 18 March 2016 at 14:04, Lukasz Lenart 
> wrote:
> >
> > > I see no other way just revert that change and change that was
> > > introduced to fix the original issue
> > >
> > >
> > > Regards
> > > --
> > > Łukasz
> > > + 48 606 323 122 http://www.lenart.org.pl/
> > >
> > > 2016-03-18 14:26 GMT+01:00 Greg Huber :
> > > > Sorry forget the last email, its rubbish.  Won't work. Thought the
> code
> > > was
> > > > part of the mod, which it is not.
> > > >
> > > > On 18 March 2016 at 11:45, Lukasz Lenart 
> > > wrote:
> > > >
> > > >> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> > > >> > I have tested it without the change (to DefaultActionInvocation)
> and
> > > the
> > > >> > messages work on the redirects. Unless it is confirmed that it is
> > > >> required
> > > >> > ie it does not work in its original position, its best not to
> change
> > > >> such a
> > > >> > key program.  In my opinion.
> > > >>
> > > >> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC
> or
> > > >> STORE mode?
> > > >> This change is needed to allow AUTOMATIC mode to work with redirects
> > > >>
> > > >>
> > > >>
> > >
> >
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
> > > >>
> > > >>
> > > >> Regards
> > > >> --
> > > >> Łukasz
> > > >> + 48 606 323 122 http://www.lenart.org.pl/
> > > >>
> > > >>
> -
> > > >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > > >> For additional commands, e-mail: dev-h...@struts.apache.org
> > >
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> > > For additional commands, e-mail: dev-h...@struts.apache.org
> > >
> > >
> >
>

Re: [VOTE] Struts 2.3.26

[Lukasz Lenart]

2016-03-17 9:58 GMT+01:00 Greg Huber :
> From page
>
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26
>
> These cannot be read as it wants a login?

Greg
I've added your username - ghuber - to struts-committers group in
Confluence so you should be able to access those pages.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

[CANCELED ]Re: [VOTE] Struts 2.3.26

[Lukasz Lenart]

New call for vote will start soon

2016-03-16 18:05 GMT+01:00 Lukasz Lenart :
> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.26/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 72 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> PS. I will close the vote sooner if there be at least 3x +1 binding votes

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: Struts 2.3.26

[Christoph Nenning]

> Great! Thanks a lot!
> 
> So let's start vote!
> 


[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)

+1, binding



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: [VOTE] Struts 2.3.27

[Greg Huber]

The reason why its not working it needs to know whether it is an
instanceof ServletRedirectResult in MessageStorePreResultListener.

Rather than use the result (which do do not have) a possible solution is to
construct what its looking for from the invocation and the use an equals.


Map results =
((DefaultActionInvocation)invocation).getProxy().getConfig().getResults();

ResultConfig resultConfig = null;

try {
resultConfig = results.get(resultCode);
} catch (NullPointerException e) {
LOG.debug("Got NPE trying to read result configuration for
resultCode [{}]", resultCode);
}

boolean isRedirect = false;
try {
//isRedirect = invocation.getResult() instanceof
ServletRedirectResult;
isRedirect =
"org.apache.struts2.result.ServletRedirectResult".equals(resultConfig.getClassName());
} catch (Exception e) {
LOG.warn("Cannot read result!", e);
}









On 18 March 2016 at 14:04, Lukasz Lenart  wrote:

> I see no other way just revert that change and change that was
> introduced to fix the original issue
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2016-03-18 14:26 GMT+01:00 Greg Huber :
> > Sorry forget the last email, its rubbish.  Won't work. Thought the code
> was
> > part of the mod, which it is not.
> >
> > On 18 March 2016 at 11:45, Lukasz Lenart 
> wrote:
> >
> >> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> >> > I have tested it without the change (to DefaultActionInvocation) and
> the
> >> > messages work on the redirects. Unless it is confirmed that it is
> >> required
> >> > ie it does not work in its original position, its best not to change
> >> such a
> >> > key program.  In my opinion.
> >>
> >> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
> >> STORE mode?
> >> This change is needed to allow AUTOMATIC mode to work with redirects
> >>
> >>
> >>
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> >> For additional commands, e-mail: dev-h...@struts.apache.org
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.28

[Greg Huber]

Thanks, redirect messages and interceptor switching correctly now.

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)

+1 binding

On 18 March 2016 at 20:46, Lukasz Lenart  wrote:

> The Apache Struts 2.3.28 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see
> WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.28
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.28/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 72 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.27

[Lukasz Lenart]

2016-03-18 12:11 GMT+01:00 Greg Huber :
> checking the source.

Here is the change
https://github.com/apache/struts/commit/9c7b8336685d810a657f3f3c56ad8662dcc85dbf#diff-5

right now a result is created early, before "PreResultListener"s will
be called. Previously the result was created in "executeResult" method
so that's why you were able to modify "resultCode" in
"PreResultListener". Right now it isn't possible, but honestly,
modifying "resultCode" in "PreResultListener" is out of scope of what
"PreResultListener" should do.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.27

[Greg Huber]

just checked the source, and does need reinstating, for me.

// this is needed because the result will be executed, then control will
return to the Interceptor, which will
// return above and flow through again
if (!executed) {
result = createResult(); <<<

if (preResultListeners != null) {
LOG.trace("Executing PreResultListeners for result
[#0]", result);

for (Object preResultListener : preResultListeners) {
PreResultListener listener = (PreResultListener)
preResultListener;

String _profileKey = "preResultListener: ";
try {
UtilTimerStack.push(_profileKey);
listener.beforeResult(this, resultCode);
}
finally {
UtilTimerStack.pop(_profileKey);
}
}
}

// now execute the result, if we're supposed to
if (proxy.getExecuteResult()) {
executeResult();
}

executed = true;
}

On 18 March 2016 at 11:02, Lukasz Lenart  wrote:

> 2016-03-18 11:02 GMT+01:00 Greg Huber :
> > Re-testing this...
> >
> > did the result = createResult(); get reinstated in the
> > DefaultActionInvocation.executeResult(), as my views are not switching
> > correctly.
>
> This is the same as last time when you have been testing SNAPSHOT
> version, nothing changed in that area.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

[VOTE] Struts 2.3.28

[Lukasz Lenart]

The Apache Struts 2.3.28 test build is now available. With this release:
- Possible XSS vulnerability in pages not using UTF-8 was fixed, read
more details in S2-028
- Prevents possible RCE when reusing user input in tag's attributes,
see more details in S2-029
- I18NInterceptor narrows selected locale to those available in JVM to
reduce possibility of another XSS vulnerability, see more details in
S2-030
- New Configurationprovider type was introduced -
ServletContextAwareConfigurationProvider, see WW-4410
- Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
- Spring BeanPostProcessor(s) are called only once to constructed
objects., see WW-4554
- OGNL was upgraded to version 3.0.13, see WW-4562
- Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
- A dedicated assembly with minimal set of jars was defined, see WW-4570
- Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
- Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
- MessageStoreInterceptor was refactored to use PreResultListener to
store messages, see WW-4605
- A new annotation was added to support configuring Tiles -
@TilesDefinition, see WW-4606

and few other small improvements, please see the release notes

Security note:
This release fixes three potential security vulnerabilities as
mentioned in the Version Notes

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.28

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.28/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

The vote will remain open for at least 72 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.

As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.


Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.27

[Greg Huber]

STORE

Does moving the create result to the invoke negate the pre-result listener,
just to a result listener?

##


Here is the interceptor that I use. Maybe I can move it around?

/**
 * Adds -mobile to the result.
 *
 * .Tiles-mobile
 *
 */
public class MobileAwareInterceptor extends MethodFilterInterceptor {

protected Set excludeResults = Collections.emptySet();
protected Set includeResults = Collections.emptySet();

/**
 * Instantiates a new mobile aware interceptor.
 */
public MobileAwareInterceptor() {
}

/**
 * @see
com.opensymphony.xwork2.interceptor.AbstractInterceptor#intercept(com.opensymphony.xwork2.ActionInvocation)
 */
public String intercept(ActionInvocation invocation) throws Exception {

if (applyInterceptor(invocation)) {

invocation.addPreResultListener(new PreResultListener() {
public void beforeResult(ActionInvocation invocation,
String resultCode) {

final ActionContext context = invocation
.getInvocationContext();

final HttpServletRequest request = (HttpServletRequest)
context
.get(StrutsStatics.HTTP_REQUEST);

// Check if we are a a required mobile result
if (MobileDeviceRepository.isMobileDevice(request, true)
&& applyResult(resultCode)) {

invocation.setResultCode(resultCode + "-"
+ DeviceType.mobile);

Object action = invocation.getAction();

if (action instanceof UIAction) {

UIAction theAction = (UIAction) action;
theAction.setMobileAwareResult(true);

}
}

}
});

}

return doIntercept(invocation);
}

/**
 * @see
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor#doIntercept(com.opensymphony.xwork2.ActionInvocation)
 */
protected String doIntercept(ActionInvocation invocation) throws
Exception {

// just envoke
return invocation.invoke();
}

/**
 * Apply result.
 *
 * @param resultCode
 *the result code
 *
 * @return true, if successful
 */
protected boolean applyResult(String resultCode) {

// Borrow validationInterceptor
boolean applyResult = MethodFilterInterceptorUtil.applyMethod(
excludeResults, includeResults, resultCode);
if (log.isDebugEnabled()) {
if (!applyResult) {
log.debug("Skipping Interceptor... Result [" + resultCode
+ "] found in exclude list.");
}
}
return applyResult;
}

/**
 * Gets the exclude results.
 *
 * @return the exclude results
 */
public Set getExcludeResults() {
return excludeResults;
}

/**
 * Sets the exclude results.
 *
 * @param excludeResults
 *the new exclude results
 */
public void setExcludeResults(String excludeResults) {
this.excludeResults = TextParseUtil
.commaDelimitedStringToSet(excludeResults);
}

/**
 * Gets the include results.
 *
 * @return the include results
 */
public Set getIncludeResults() {
return includeResults;
}

/**
 * Sets the include results.
 *
 * @param includeResults
 *the new include results
 */
public void setIncludeResults(String includeResults) {
this.includeResults = TextParseUtil
.commaDelimitedStringToSet(includeResults);
}

}

On 18 March 2016 at 11:45, Lukasz Lenart  wrote:

> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> > I have tested it without the change (to DefaultActionInvocation) and the
> > messages work on the redirects. Unless it is confirmed that it is
> required
> > ie it does not work in its original position, its best not to change
> such a
> > key program.  In my opinion.
>
> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
> STORE mode?
> This change is needed to allow AUTOMATIC mode to work with redirects
>
>
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.27

[Greg Huber]

I have tested it without the change (to DefaultActionInvocation) and the
messages work on the redirects. Unless it is confirmed that it is required
ie it does not work in its original position, its best not to change such a
key program.  In my opinion.

On 18 March 2016 at 11:20, Lukasz Lenart  wrote:

> 2016-03-18 12:11 GMT+01:00 Greg Huber :
> > checking the source.
>
> Here is the change
>
> https://github.com/apache/struts/commit/9c7b8336685d810a657f3f3c56ad8662dcc85dbf#diff-5
>
> right now a result is created early, before "PreResultListener"s will
> be called. Previously the result was created in "executeResult" method
> so that's why you were able to modify "resultCode" in
> "PreResultListener". Right now it isn't possible, but honestly,
> modifying "resultCode" in "PreResultListener" is out of scope of what
> "PreResultListener" should do.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.26

[Greg Huber]

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)

+1 binding

Thanks.

On 16 March 2016 at 17:05, Lukasz Lenart  wrote:

> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see
> WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.26
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.26/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 72 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> PS. I will close the vote sooner if there be at least 3x +1 binding votes
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Jenkins build is back to normal : Struts-JDK7-master #447

[Apache Jenkins Server]

See 


-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Jenkins build is back to normal : Struts-JDK8-master #112

[Apache Jenkins Server]

See 


-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.26

[Christoph Nenning]

>The Apache Struts 2.3.26 test build is now available. 

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)
 
+1, binding



Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Re: [VOTE] Struts 2.3.27

[Rene Gielen]

+1 GA (binding)

- René

Am 18.03.16 um 10:01 schrieb Lukasz Lenart:
> This is a third call in row with tiny fix discovered during test
> period so I'm going to speed things up as there are three security
> bulletins addressed with this release.
> 
> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
> 
> and few other small improvements, please see the release notes
> 
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
> 
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.27
> 
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.27/
> 
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
> 
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
> 
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
> 
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
> 
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
> 
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
> 
> 
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

-- 
René Gielen
http://twitter.com/rgielen

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.26

[Lukasz Lenart]

2016-03-16 18:05 GMT+01:00 Lukasz Lenart :
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)

+1 (binding)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Re: [VOTE] Struts 2.3.27

[Greg Huber]

Sorry forget the last email, its rubbish.  Won't work. Thought the code was
part of the mod, which it is not.

On 18 March 2016 at 11:45, Lukasz Lenart  wrote:

> 2016-03-18 12:29 GMT+01:00 Greg Huber :
> > I have tested it without the change (to DefaultActionInvocation) and the
> > messages work on the redirects. Unless it is confirmed that it is
> required
> > ie it does not work in its original position, its best not to change
> such a
> > key program.  In my opinion.
>
> How do you use MessageStoreInterceptor with redirects? In AUTOMATIC or
> STORE mode?
> This change is needed to allow AUTOMATIC mode to work with redirects
>
>
> https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/interceptor/MessageStorePreResultListener.java#L72
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>

Re: [VOTE] Struts 2.3.27

[Greg Huber]

Re-testing this...

did the result = createResult(); get reinstated in the
DefaultActionInvocation.executeResult(), as my views are not switching
correctly.

The message on the redirect works OK. Part of the pre result listener mods.




On 18 March 2016 at 09:01, Lukasz Lenart  wrote:

> This is a third call in row with tiny fix discovered during test
> period so I'm going to speed things up as there are three security
> bulletins addressed with this release.
>
> The Apache Struts 2.3.26 test build is now available. With this release:
> - Possible XSS vulnerability in pages not using UTF-8 was fixed, read
> more details in S2-028
> - Prevents possible RCE when reusing user input in tag's attributes,
> see more details in S2-029
> - I18NInterceptor narrows selected locale to those available in JVM to
> reduce possibility of another XSS vulnerability, see more details in
> S2-030
> - New Configurationprovider type was introduced -
> ServletContextAwareConfigurationProvider, see WW-4410
> - Setting status code in HttpHeaders isn't ignored anymore, see WW-4545
> - Spring BeanPostProcessor(s) are called only once to constructed
> objects., see WW-4554
> - OGNL was upgraded to version 3.0.13, see WW-4562
> - Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see
> WW-4568
> - A dedicated assembly with minimal set of jars was defined, see WW-4570
> - Struts2 Rest plugin properly handles JSESSIONID with DMI, see WW-4585
> - Improved the Struts2 Rest plugin to honor Accept header, see WW-4588
> - MessageStoreInterceptor was refactored to use PreResultListener to
> store messages, see WW-4605
> - A new annotation was added to support configuring Tiles -
> @TilesDefinition, see WW-4606
>
> and few other small improvements, please see the release notes
>
> Security note:
> This release fixes three potential security vulnerabilities as
> mentioned in the Version Notes
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.27
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.27/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>