[jira] [Commented] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17838859#comment-17838859 ] Lukasz Lenart commented on WW-5400: --- Why do you want to inject a class name instead of an existing bean? > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915441=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915441 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794179 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.5 Review Comment: @lukaszlenart updated with 3.3.5. Thanks Issue Time Tracking --- Worklog Id: (was: 915441) Time Spent: 1.5h (was: 1h 20m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915442=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915442 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794402 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Updated. Thanks Issue Time Tracking --- Worklog Id: (was: 915442) Time Spent: 1h 40m (was: 1.5h) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915438=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915438 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:55 Start Date: 19/Apr/24 04:55 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571790904 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Try you to use 3.3.5 verision Issue Time Tracking --- Worklog Id: (was: 915438) Time Spent: 1h 20m (was: 1h 10m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915415=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915415 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 22:37 Start Date: 18/Apr/24 22:37 Worklog Time Spent: 10m Work Description: kusalk merged PR #917: URL: https://github.com/apache/struts/pull/917 Issue Time Tracking --- Worklog Id: (was: 915415) Time Spent: 2h 50m (was: 2h 40m) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 50m > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (WW-5413) Multipart misbehavior with commons-io 2.16.0 and 2.16.1
[ https://issues.apache.org/jira/browse/WW-5413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Riccardo Proserpio updated WW-5413: --- Description: commons-io 2.16.0 has broken the implementation of DeferredFileOutputStream changing the behavior of its superclass ThresholdingOutputStream: https://issues.apache.org/jira/browse/IO-854 The class is used by commons-fileupload DiskFileItem, that is used by Struts to handle multipart uploads. The issue causes each multipart part to be read as empty. A fix has been implemented in 2.16.1. However, the fix exposes an issue in how the getFile of JakartaMultiPartRequest uses DiskFileItem, that causes it to mishandle zero length inputs. The issue is related to https://issues.apache.org/jira/browse/WW-5088 https://issues.apache.org/jira/browse/WW-5146 Moreover, the fix implemented for this issues seems to be dubious and affects not only file uploads but every field encoded as multipart/form-data: by forcing the diskfileitem threshold to be -1, each and every field was written to the filesystem. The behavior of threadshold -1 was underspecified and inconsistent with the commons-io implementation, and has been specified in 2.16.1. To really fix the issue, I suggest to avoid specifying -1 on the DiskFileItemFactory and to properly handle the case when the DiskFileItem.isInMemory() returns true in the JakartaMultiPartRequest.getFile method: in this case getStoreLocation() is defined to return null and the bytes should be read from memory instead. Avoiding always spilling to disk each and every multipart part should also be a performance win, considering that multipart can also be used to transfer normal form inputs and not only files. What do you think? was: commons-io 2.16.0 has broken the implementation of DeferredFileOutputStream changing the behavior of its superclass ThresholdingOutputStream: https://issues.apache.org/jira/browse/IO-854 The class is used by commons-fileupload DiskFileItem, that is used by Struts to handle multipart uploads. The issue causes each multipart part to be read as empty. A fix has been implemented in 2.16.1. However, the fix exposes an issue in how the getFile of JakartaMultiPartRequest uses DiskFileItem, that causes it to mishandle zero length inputs. The issue is related to https://issues.apache.org/jira/browse/WW-5088 https://issues.apache.org/jira/browse/WW-5146 Moreover, the fix implemented for this issues seems to be dubious and affects not only file uploads but every field encoded as multipart/form-data: by forcing the diskfileitem threshold to be -1, each and every field was written to the filesystem. The behavior of threadshold -1 was underspecified and inconsistent with the commons-io implementation, and has been specified in 2.16.1. To really fix the issue, I propose to avoid specifying -1 on the DiskFileItemFactory and to properly handle the case when the DiskFileItem.isInMemory() returns true in the JakartaMultiPartRequest.getFile method: in this case getStoreLocation() is defined to return null and the bytes should be read from memory instead. Avoiding always spilling to disk each and every multipart part should also be a performance win, considering that multipart can also be used to transfer normal form inputs and not only files. What do you think? > Multipart misbehavior with commons-io 2.16.0 and 2.16.1 > --- > > Key: WW-5413 > URL: https://issues.apache.org/jira/browse/WW-5413 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.3.0 >Reporter: Riccardo Proserpio >Priority: Major > Fix For: 6.5.0 > > > commons-io 2.16.0 has broken the implementation of > DeferredFileOutputStream changing the behavior of its superclass > ThresholdingOutputStream: https://issues.apache.org/jira/browse/IO-854 > > The class is used by commons-fileupload DiskFileItem, that is used by Struts > to handle multipart uploads. The issue causes each multipart part to be read > as empty. > > A fix has been implemented in 2.16.1. However, the fix exposes an issue in > how the getFile of JakartaMultiPartRequest uses DiskFileItem, that causes it > to mishandle zero length inputs. > > The issue is related to > https://issues.apache.org/jira/browse/WW-5088 > https://issues.apache.org/jira/browse/WW-5146 > > Moreover, the fix implemented for this issues seems to be dubious and affects > not only file uploads but every field encoded as multipart/form-data: by > forcing the diskfileitem threshold to be -1, each and every field was written > to the filesystem. > > The behavior of threadshold -1 was underspecified and inconsistent with the > commons-io implementation, and has been specified in 2.16.1. > > To really fix the issue,
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915303=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915303 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 12:35 Start Date: 18/Apr/24 12:35 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #917: URL: https://github.com/apache/struts/pull/917#issuecomment-2063764420 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=917) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=917=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=917=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=917=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [94.1% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=917) Issue Time Tracking --- Worklog Id: (was: 915303) Time Spent: 2h 40m (was: 2.5h) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 40m > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915302=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915302 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 12:30 Start Date: 18/Apr/24 12:30 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #917: URL: https://github.com/apache/struts/pull/917 WW-5406 -- Fixing a minor bug I introduced with #910 Issue Time Tracking --- Worklog Id: (was: 915302) Time Spent: 2.5h (was: 2h 20m) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Markus Fischer updated WW-5419: --- Description: Starting in 6.4.0 a tiles definition in /WEB-INF/tiles.xml is not found automatically anymore. The problem arises only, if the definition in web.xml contains no param section: org.apache.struts2.tiles.StrutsTilesListener The workaround is to specify the specific location: org.apache.struts2.tiles.StrutsTilesListener org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG /WEB-INF/tiles.xml The issue has been introduced by this change: [https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] was: Starting in 6.4.0 a tiles definition in /WEB-INF/tiles.xml is not found automatically anymore. The problem arises only, if the definition in web.xml without a param section: org.apache.struts2.tiles.StrutsTilesListener The workaround is to specify the specific location: org.apache.struts2.tiles.StrutsTilesListener org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG /WEB-INF/tiles.xml The issue has been introduced by this change: [https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Priority: Blocker > Fix For: 6.5.0 > > > Starting in 6.4.0 a tiles definition in > /WEB-INF/tiles.xml > is not found automatically anymore. The problem arises only, if the > definition in web.xml contains no param section: > > > > org.apache.struts2.tiles.StrutsTilesListener > > > The workaround is to specify the specific location: > > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > > The issue has been introduced by this change: > > [https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
Markus Fischer created WW-5419: -- Summary: Autoloading of tiles.xml fails in Struts-6.4.0 Key: WW-5419 URL: https://issues.apache.org/jira/browse/WW-5419 Project: Struts 2 Issue Type: Bug Components: Plugin - Tiles Affects Versions: 6.4.0 Reporter: Markus Fischer Fix For: 6.5.0 Starting in 6.4.0 a tiles definition in /WEB-INF/tiles.xml is not found automatically anymore. The problem arises only, if the definition in web.xml without a param section: org.apache.struts2.tiles.StrutsTilesListener The workaround is to specify the specific location: org.apache.struts2.tiles.StrutsTilesListener org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG /WEB-INF/tiles.xml The issue has been introduced by this change: [https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)