[jira] [Work logged] (WW-5423) Query Parameters in Multipart Requests not working in v7 M6
[
https://issues.apache.org/jira/browse/WW-5423?focusedWorklogId=921937=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921937
]
ASF GitHub Bot logged work on WW-5423:
--
Author: ASF GitHub Bot
Created on: 04/Jun/24 09:59
Start Date: 04/Jun/24 09:59
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #954:
URL: https://github.com/apache/struts/pull/954#issuecomment-2147123378
## [](https://sonarcloud.io/dashboard?id=apache_struts=954)
**Quality Gate failed**
Failed conditions
 [C Maintainability Rating on New
Code](https://sonarcloud.io/dashboard?id=apache_struts=954)
(required ≥ A)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=954)
##
 Catch issues before they fail your Quality Gate with our IDE extension
[SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request)
Issue Time Tracking
---
Worklog Id: (was: 921937)
Time Spent: 20m (was: 10m)
> Query Parameters in Multipart Requests not working in v7 M6
> ---
>
> Key: WW-5423
> URL: https://issues.apache.org/jira/browse/WW-5423
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 7.0.0
>Reporter: Philip Crider
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> One of the changes in [https://github.com/apache/struts/pull/861] broke query
> parameters in multipart requests. Their values are being lost.
> This is the old implementation, which returns null if the parameter doesn't
> exist.
> {code:java}
> public String[] getParameterValues(String name) {
> List v = params.get(name);
> if (v != null && !v.isEmpty()) {
> return v.toArray(new String[0]);
> }
> return null;
> } {code}
>
> And this is the new implementation, which returns an empty array in that case.
> {code:java}
> public String[] getParameterValues(String name) {
> return parameters.getOrDefault(name, Collections.emptyList())
> .toArray(String[]::new);
> }{code}
>
> This method in MultiPartRequestWrapper is expecting null to be returned in
> that case.
> {code:java}
> public String[] getParameterValues(String name) {
> return ((multi == null) || (multi.getParameterValues(name) == null)) ?
> super.getParameterValues(name) : multi.getParameterValues(name);
> }{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5423) Query Parameters in Multipart Requests not working in v7 M6
[
https://issues.apache.org/jira/browse/WW-5423?focusedWorklogId=921934=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921934
]
ASF GitHub Bot logged work on WW-5423:
--
Author: ASF GitHub Bot
Created on: 04/Jun/24 09:52
Start Date: 04/Jun/24 09:52
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #954:
URL: https://github.com/apache/struts/pull/954
Fixes [WW-5423](https://issues.apache.org/jira/browse/WW-5423)
Issue Time Tracking
---
Worklog Id: (was: 921934)
Remaining Estimate: 0h
Time Spent: 10m
> Query Parameters in Multipart Requests not working in v7 M6
> ---
>
> Key: WW-5423
> URL: https://issues.apache.org/jira/browse/WW-5423
> Project: Struts 2
> Issue Type: Bug
>Affects Versions: 7.0.0
>Reporter: Philip Crider
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> One of the changes in [https://github.com/apache/struts/pull/861] broke query
> parameters in multipart requests. Their values are being lost.
> This is the old implementation, which returns null if the parameter doesn't
> exist.
> {code:java}
> public String[] getParameterValues(String name) {
> List v = params.get(name);
> if (v != null && !v.isEmpty()) {
> return v.toArray(new String[0]);
> }
> return null;
> } {code}
>
> And this is the new implementation, which returns an empty array in that case.
> {code:java}
> public String[] getParameterValues(String name) {
> return parameters.getOrDefault(name, Collections.emptyList())
> .toArray(String[]::new);
> }{code}
>
> This method in MultiPartRequestWrapper is expecting null to be returned in
> that case.
> {code:java}
> public String[] getParameterValues(String name) {
> return ((multi == null) || (multi.getParameterValues(name) == null)) ?
> super.getParameterValues(name) : multi.getParameterValues(name);
> }{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5426) Upgrade Apache FreeMarker to version 2.3.33
[ https://issues.apache.org/jira/browse/WW-5426?focusedWorklogId=921681=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921681 ] ASF GitHub Bot logged work on WW-5426: -- Author: ASF GitHub Bot Created on: 03/Jun/24 05:04 Start Date: 03/Jun/24 05:04 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #953: URL: https://github.com/apache/struts/pull/953 Issue Time Tracking --- Worklog Id: (was: 921681) Remaining Estimate: 0h Time Spent: 10m > Upgrade Apache FreeMarker to version 2.3.33 > --- > > Key: WW-5426 > URL: https://issues.apache.org/jira/browse/WW-5426 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > The Apache FreeMarker community is pleased to announce the release of > Apache FreeMarker 2.3.33. > Change log: https://freemarker.apache.org/docs/versions_2_3_33.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5412) Upgrade to Apache Struts Master 15
[ https://issues.apache.org/jira/browse/WW-5412?focusedWorklogId=921648=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921648 ] ASF GitHub Bot logged work on WW-5412: -- Author: ASF GitHub Bot Created on: 02/Jun/24 17:19 Start Date: 02/Jun/24 17:19 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #948: URL: https://github.com/apache/struts/pull/948#issuecomment-2143950675 ## [](https://sonarcloud.io/dashboard?id=apache_struts=948) **Quality Gate passed** Issues  [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=948=false=true)  [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts=948=WONTFIX) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=948=false=true)  No data about Coverage  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=948=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=948) Issue Time Tracking --- Worklog Id: (was: 921648) Time Spent: 20m (was: 10m) > Upgrade to Apache Struts Master 15 > -- > > Key: WW-5412 > URL: https://issues.apache.org/jira/browse/WW-5412 > Project: Struts 2 > Issue Type: Improvement > Components: Build Management >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5412) Upgrade to Apache Struts Master 15
[ https://issues.apache.org/jira/browse/WW-5412?focusedWorklogId=921647=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921647 ] ASF GitHub Bot logged work on WW-5412: -- Author: ASF GitHub Bot Created on: 02/Jun/24 17:13 Start Date: 02/Jun/24 17:13 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #948: URL: https://github.com/apache/struts/pull/948 Closes [WW-5412](https://issues.apache.org/jira/browse/WW-5412) Issue Time Tracking --- Worklog Id: (was: 921647) Remaining Estimate: 0h Time Spent: 10m > Upgrade to Apache Struts Master 15 > -- > > Key: WW-5412 > URL: https://issues.apache.org/jira/browse/WW-5412 > Project: Struts 2 > Issue Type: Improvement > Components: Build Management >Reporter: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5424) ClassCastException with tag "set" when variable name has length=1
[
https://issues.apache.org/jira/browse/WW-5424?focusedWorklogId=921640=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921640
]
ASF GitHub Bot logged work on WW-5424:
--
Author: ASF GitHub Bot
Created on: 02/Jun/24 12:00
Start Date: 02/Jun/24 12:00
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #946:
URL: https://github.com/apache/struts/pull/946#issuecomment-2143819643
## [](https://sonarcloud.io/dashboard?id=apache_struts=946)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=946=false=true)
 [0 Accepted
issues](https://sonarcloud.io/project/issues?id=apache_struts=946=WONTFIX)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=946=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=946=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=946=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=946)
Issue Time Tracking
---
Worklog Id: (was: 921640)
Time Spent: 20m (was: 10m)
> ClassCastException with tag "set" when variable name has length=1
> -
>
> Key: WW-5424
> URL: https://issues.apache.org/jira/browse/WW-5424
> Project: Struts 2
> Issue Type: Bug
> Components: Core Tags
>Affects Versions: 6.4.0
>Reporter: Daniel López
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> I think it is caused by the refactor of WW-5333
> When the tag "set" is used to define a variable whose name is of length 1, a
> java.lang.ClassCastException (class java.lang.Character cannot be cast to
> class java.lang.String ) is thrown.
>
> Test case:
> {code:java}
> // code placeholder
> a =
> b = {code}
> Expected result:
> {code:java}
> // code placeholder
> a = 1
> b = 2{code}
> actual result:
> {code:java}
> a = 1
> b ={code}
> Both "s:set" throws exception when storing the value in page context. Value
> of a is retrieved as it is successfully saved in default context
> Exception trace
> {code:java}
> // code placeholder
> Error setting value [2] with expression [#attr['b']]
> java.lang.ClassCastException: class java.lang.Character cannot be cast to
> class java.lang.String (java.lang.Character and java.lang.String are in
> module java.base of loader 'bootstrap')
> at org.apache.struts2.dispatcher.AttributeMap.put(AttributeMap.java:46)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor.setProperty(XWorkMapPropertyAccessor.java:130)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:3359) ~[ognl-3.3.4.jar:?]
> at ognl.ASTProperty.setValueBody(ASTProperty.java:134) ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
> ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?]
> at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
> ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?]
> at ognl.Ognl.setValue(Ognl.java:829) ~[ognl-3.3.4.jar:?]
> at com.opensymphony.xwork2.ognl.OgnlUtil.ognlSet(OgnlUtil.java:585)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:522)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:258)
> [struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:245)
> [struts2-core-6.4.0.jar:6.4.0]
> at org.apache.struts2.components.Set.end(Set.java:113)
> [struts2-core-6.4.0.jar:6.4.0]
> at
>
[jira] [Work logged] (WW-5424) ClassCastException with tag "set" when variable name has length=1
[
https://issues.apache.org/jira/browse/WW-5424?focusedWorklogId=921638=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921638
]
ASF GitHub Bot logged work on WW-5424:
--
Author: ASF GitHub Bot
Created on: 02/Jun/24 11:54
Start Date: 02/Jun/24 11:54
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #946:
URL: https://github.com/apache/struts/pull/946
Closes [WW-5424](https://issues.apache.org/jira/browse/WW-5424)
Issue Time Tracking
---
Worklog Id: (was: 921638)
Remaining Estimate: 0h
Time Spent: 10m
> ClassCastException with tag "set" when variable name has length=1
> -
>
> Key: WW-5424
> URL: https://issues.apache.org/jira/browse/WW-5424
> Project: Struts 2
> Issue Type: Bug
> Components: Core Tags
>Affects Versions: 6.4.0
>Reporter: Daniel López
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I think it is caused by the refactor of WW-5333
> When the tag "set" is used to define a variable whose name is of length 1, a
> java.lang.ClassCastException (class java.lang.Character cannot be cast to
> class java.lang.String ) is thrown.
>
> Test case:
> {code:java}
> // code placeholder
> a =
> b = {code}
> Expected result:
> {code:java}
> // code placeholder
> a = 1
> b = 2{code}
> actual result:
> {code:java}
> a = 1
> b ={code}
> Both "s:set" throws exception when storing the value in page context. Value
> of a is retrieved as it is successfully saved in default context
> Exception trace
> {code:java}
> // code placeholder
> Error setting value [2] with expression [#attr['b']]
> java.lang.ClassCastException: class java.lang.Character cannot be cast to
> class java.lang.String (java.lang.Character and java.lang.String are in
> module java.base of loader 'bootstrap')
> at org.apache.struts2.dispatcher.AttributeMap.put(AttributeMap.java:46)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor.setProperty(XWorkMapPropertyAccessor.java:130)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:3359) ~[ognl-3.3.4.jar:?]
> at ognl.ASTProperty.setValueBody(ASTProperty.java:134) ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
> ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?]
> at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
> ~[ognl-3.3.4.jar:?]
> at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?]
> at ognl.Ognl.setValue(Ognl.java:829) ~[ognl-3.3.4.jar:?]
> at com.opensymphony.xwork2.ognl.OgnlUtil.ognlSet(OgnlUtil.java:585)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:522)
> ~[struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:258)
> [struts2-core-6.4.0.jar:6.4.0]
> at
> com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:245)
> [struts2-core-6.4.0.jar:6.4.0]
> at org.apache.struts2.components.Set.end(Set.java:113)
> [struts2-core-6.4.0.jar:6.4.0]
> at
> org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:38)
> [struts2-core-6.4.0.jar:6.4.0]
> {code}
> When name is of length 1, the key is created as Character not String, and it
> fails when trying to store in a
> AttributeMap extends AbstractMap
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5425) Bump jackson.version from 2.16.1 to 2.17.1
[ https://issues.apache.org/jira/browse/WW-5425?focusedWorklogId=921616=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921616 ] ASF GitHub Bot logged work on WW-5425: -- Author: ASF GitHub Bot Created on: 01/Jun/24 05:05 Start Date: 01/Jun/24 05:05 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #944: URL: https://github.com/apache/struts/pull/944 Issue Time Tracking --- Worklog Id: (was: 921616) Remaining Estimate: 0h Time Spent: 10m > Bump jackson.version from 2.16.1 to 2.17.1 > -- > > Key: WW-5425 > URL: https://issues.apache.org/jira/browse/WW-5425 > Project: Struts 2 > Issue Type: Dependency > Components: Plugin - JSON >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5388) Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
[
https://issues.apache.org/jira/browse/WW-5388?focusedWorklogId=920261=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-920261
]
ASF GitHub Bot logged work on WW-5388:
--
Author: ASF GitHub Bot
Created on: 21/May/24 15:32
Start Date: 21/May/24 15:32
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #861:
URL: https://github.com/apache/struts/pull/861#discussion_r1608537187
##
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java:
##
@@ -171,4 +298,109 @@ protected String getCanonicalName(final String
originalFileName) {
return fileName;
}
+protected String sanitizeNewlines(String before) {
+return before.replaceAll("\\R", "_");
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getErrors()
+ */
+public List getErrors() {
+return errors;
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileParameterNames()
+ */
+public Enumeration getFileParameterNames() {
+return Collections.enumeration(uploadedFiles.keySet());
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getContentType(java.lang.String)
+ */
+public String[] getContentType(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(UploadedFile::getContentType)
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFile(java.lang.String)
+ */
+@SuppressWarnings("unchecked")
+public UploadedFile[] getFile(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName, Collections.emptyList())
+.toArray(UploadedFile[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileNames(java.lang.String)
+ */
+public String[] getFileNames(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(file -> getCanonicalName(file.getName()))
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFilesystemName(java.lang.String)
+ */
+public String[] getFilesystemName(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(UploadedFile::getAbsolutePath)
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameter(java.lang.String)
+ */
+public String getParameter(String name) {
+List paramValue = parameters.getOrDefault(name,
Collections.emptyList());
+if (!paramValue.isEmpty()) {
+return paramValue.get(0);
+}
+
+return null;
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterNames()
+ */
+public Enumeration getParameterNames() {
+return Collections.enumeration(parameters.keySet());
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterValues(java.lang.String)
+ */
+public String[] getParameterValues(String name) {
+return parameters.getOrDefault(name, Collections.emptyList())
+.toArray(String[]::new);
Review Comment:
@criderp please register this bug in
[JIRA](https://issues.apache.org/jira/browse/WW), thanks!
Issue Time Tracking
---
Worklog Id: (was: 920261)
Time Spent: 11h 20m (was: 11h 10m)
> Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
> --
>
> Key: WW-5388
> URL: https://issues.apache.org/jira/browse/WW-5388
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Lukasz Lenart
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 11h 20m
> Remaining Estimate: 0h
>
> There is a new version of JakartaEE FileUpload
> {code:xml}
>
> org.apache.commons
> commons-fileupload2-jakarta-servlet6
> 2.0.0-M2
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5388) Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
[
https://issues.apache.org/jira/browse/WW-5388?focusedWorklogId=920249=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-920249
]
ASF GitHub Bot logged work on WW-5388:
--
Author: ASF GitHub Bot
Created on: 21/May/24 15:11
Start Date: 21/May/24 15:11
Worklog Time Spent: 10m
Work Description: criderp commented on code in PR #861:
URL: https://github.com/apache/struts/pull/861#discussion_r1608506180
##
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java:
##
@@ -171,4 +298,109 @@ protected String getCanonicalName(final String
originalFileName) {
return fileName;
}
+protected String sanitizeNewlines(String before) {
+return before.replaceAll("\\R", "_");
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getErrors()
+ */
+public List getErrors() {
+return errors;
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileParameterNames()
+ */
+public Enumeration getFileParameterNames() {
+return Collections.enumeration(uploadedFiles.keySet());
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getContentType(java.lang.String)
+ */
+public String[] getContentType(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(UploadedFile::getContentType)
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFile(java.lang.String)
+ */
+@SuppressWarnings("unchecked")
+public UploadedFile[] getFile(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName, Collections.emptyList())
+.toArray(UploadedFile[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileNames(java.lang.String)
+ */
+public String[] getFileNames(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(file -> getCanonicalName(file.getName()))
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFilesystemName(java.lang.String)
+ */
+public String[] getFilesystemName(String fieldName) {
+return uploadedFiles.getOrDefault(fieldName,
Collections.emptyList()).stream()
+.map(UploadedFile::getAbsolutePath)
+.toArray(String[]::new);
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameter(java.lang.String)
+ */
+public String getParameter(String name) {
+List paramValue = parameters.getOrDefault(name,
Collections.emptyList());
+if (!paramValue.isEmpty()) {
+return paramValue.get(0);
+}
+
+return null;
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterNames()
+ */
+public Enumeration getParameterNames() {
+return Collections.enumeration(parameters.keySet());
+}
+
+/* (non-Javadoc)
+ * @see
org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterValues(java.lang.String)
+ */
+public String[] getParameterValues(String name) {
+return parameters.getOrDefault(name, Collections.emptyList())
+.toArray(String[]::new);
Review Comment:
This change broke query parameters in multipart requests. Their values are
being lost. The old implementation returned null if the parameter didn't exist,
but it now returns an empty array.
`MultiPartRequestWrapper::getParameterValues` relies on the fact that it
returns null, though, so it's not working correctly anymore.
This is the old implementation:
```java
public String[] getParameterValues(String name) {
List v = params.get(name);
if (v != null && !v.isEmpty()) {
return v.toArray(new String[0]);
}
return null;
}
```
And this is the `MultiPartRequestWrapper` method that doesn't work correctly
after the change:
```java
public String[] getParameterValues(String name) {
return ((multi == null) || (multi.getParameterValues(name) == null)) ?
super.getParameterValues(name) : multi.getParameterValues(name);
}
```
Issue Time Tracking
---
Worklog Id: (was: 920249)
Time Spent: 11h 10m (was: 11h)
> Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
> --
>
> Key: WW-5388
> URL:
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=919371=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919371
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 14/May/24 17:56
Start Date: 14/May/24 17:56
Worklog Time Spent: 10m
Work Description: lukaszlenart merged PR #933:
URL: https://github.com/apache/struts/pull/933
Issue Time Tracking
---
Worklog Id: (was: 919371)
Time Spent: 1h (was: 50m)
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=919370=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919370
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 14/May/24 17:55
Start Date: 14/May/24 17:55
Worklog Time Spent: 10m
Work Description: lukaszlenart merged PR #932:
URL: https://github.com/apache/struts/pull/932
Issue Time Tracking
---
Worklog Id: (was: 919370)
Time Spent: 1h 50m (was: 1h 40m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=919003=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919003
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 13/May/24 06:23
Start Date: 13/May/24 06:23
Worklog Time Spent: 10m
Work Description: lukaszlenart merged PR #931:
URL: https://github.com/apache/struts/pull/931
Issue Time Tracking
---
Worklog Id: (was: 919003)
Time Spent: 1h 10m (was: 1h)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=919000=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919000
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 13/May/24 05:49
Start Date: 13/May/24 05:49
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #931:
URL: https://github.com/apache/struts/pull/931#issuecomment-2106704457
## [](https://sonarcloud.io/dashboard?id=apache_struts=931)
**Quality Gate passed**
Issues
 [1 New
issue](https://sonarcloud.io/project/issues?id=apache_struts=931=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=931=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=931=false=true)
 [84.6% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list)
 [1.8% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931)
Issue Time Tracking
---
Worklog Id: (was: 919000)
Time Spent: 1h (was: 50m)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918998=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918998
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 13/May/24 05:28
Start Date: 13/May/24 05:28
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #931:
URL: https://github.com/apache/struts/pull/931#issuecomment-2106684078
## [](https://sonarcloud.io/dashboard?id=apache_struts=931)
**Quality Gate passed**
Issues
 [8 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=931=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=931=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=931=false=true)
 [84.6% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list)
 [1.8% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931)
Issue Time Tracking
---
Worklog Id: (was: 918998)
Time Spent: 50m (was: 40m)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918997=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918997
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 13/May/24 05:17
Start Date: 13/May/24 05:17
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #931:
URL: https://github.com/apache/struts/pull/931#issuecomment-2106673873
## [](https://sonarcloud.io/dashboard?id=apache_struts=931)
**Quality Gate failed**
Failed conditions
 [73.1% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list)
(required ≥ 80%)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931)
Issue Time Tracking
---
Worklog Id: (was: 918997)
Time Spent: 40m (was: 0.5h)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918988=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918988
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 13/May/24 02:43
Start Date: 13/May/24 02:43
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #933:
URL: https://github.com/apache/struts/pull/933#issuecomment-2106534361
## [](https://sonarcloud.io/dashboard?id=apache_struts=933)
**Quality Gate failed**
Failed conditions
 [57.1% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_coverage=list)
(required ≥ 80%)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=933)
Issue Time Tracking
---
Worklog Id: (was: 918988)
Time Spent: 50m (was: 40m)
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918987=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918987
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 13/May/24 02:37
Start Date: 13/May/24 02:37
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #933:
URL: https://github.com/apache/struts/pull/933#discussion_r1597805873
##
core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java:
##
@@ -147,7 +147,7 @@ public boolean isAccessible(Map context, Object target,
Member member, String pr
if (target != null) {
// Special case: Target is a Class object but not Class.class
if (Class.class.equals(target.getClass()) &&
!Class.class.equals(target)) {
-if (!isStatic(member)) {
+if (!isStatic(member) && Arrays.stream(((Class)
target).getConstructors()).noneMatch(p ->
p.getClass().equals(member.getClass( {
Review Comment:
Thanks @lukaszlenart for writing the test case - I did indeed overlook the
constructor case, I've pushed a commit to this PR with the appropriate fix :)
Issue Time Tracking
---
Worklog Id: (was: 918987)
Time Spent: 40m (was: 0.5h)
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918959=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918959
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 12/May/24 07:55
Start Date: 12/May/24 07:55
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #933:
URL: https://github.com/apache/struts/pull/933#issuecomment-2106156152
## [](https://sonarcloud.io/dashboard?id=apache_struts=933)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=933=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=933=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=933=false=true)
 [80.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=933)
Issue Time Tracking
---
Worklog Id: (was: 918959)
Time Spent: 0.5h (was: 20m)
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918958=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918958
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 12/May/24 07:50
Start Date: 12/May/24 07:50
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #933:
URL: https://github.com/apache/struts/pull/933#discussion_r1597574627
##
core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java:
##
@@ -147,7 +147,7 @@ public boolean isAccessible(Map context, Object target,
Member member, String pr
if (target != null) {
// Special case: Target is a Class object but not Class.class
if (Class.class.equals(target.getClass()) &&
!Class.class.equals(target)) {
-if (!isStatic(member)) {
+if (!isStatic(member) && Arrays.stream(((Class)
target).getConstructors()).noneMatch(p ->
p.getClass().equals(member.getClass( {
Review Comment:
This is just a temporary solution to express where the problem is, @kusalk I
count on your comment :)
Issue Time Tracking
---
Worklog Id: (was: 918958)
Time Spent: 20m (was: 10m)
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[
https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918957=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918957
]
ASF GitHub Bot logged work on WW-5415:
--
Author: ASF GitHub Bot
Created on: 12/May/24 07:49
Start Date: 12/May/24 07:49
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #933:
URL: https://github.com/apache/struts/pull/933
This PR fixes creating instances via OGNL expressions. The breaking change
was introduced in #780 or #781
Closes [WW-5415](https://issues.apache.org/jira/browse/WW-5415)
Issue Time Tracking
---
Worklog Id: (was: 918957)
Remaining Estimate: 0h
Time Spent: 10m
> Struts2 Validator is failing in OGNL with constructor call
> --
>
> Key: WW-5415
> URL: https://issues.apache.org/jira/browse/WW-5415
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Affects Versions: 6.2.0, 6.3.0
>Reporter: Sebastian Götz
>Assignee: Lukasz Lenart
>Priority: Major
> Labels: ognl, security, validation, xml
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> An FieldExpression validator using a constructor call in its OGNL expression
> fails.
> {code:xml|title=Example validation configuration}
>
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;>
>
>
>
>
>
>
>
>
> {code}
> When it comes to instantiate the Date object in the above example, the call
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map,
> Object, Member, String). It seems that a constructor call is not handled here
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String
> propertyName) {
> LOG.debug("Checking access for [target: {}, member: {}, property:
> {}]", target, member, propertyName);
> final int memberModifiers = member.getModifiers();
> final Class memberClass = member.getDeclaringClass();
> // target can be null in case of accessing static fields, since OGNL
> 3.2.8
> final Class targetClass = Modifier.isStatic(memberModifiers) ?
> memberClass : target.getClass();
> if (!memberClass.isAssignableFrom(targetClass)) {
> throw new IllegalArgumentException("Target does not match
> member!");
> }
> {code}
> When the method is called,
> * {{*target*}} is the class object for {{{}java.util.Date{}}}
> * {{*member*}} is a representation of the constructor {{public
> java.util.Date()}}
> * {{*propertyName*}} is null
> * {{*memberModifiers*}} evaluates to 1
> * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I
> cannot see how anyone could call any constructor at all.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918914=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918914
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:31
Start Date: 11/May/24 08:31
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #932:
URL: https://github.com/apache/struts/pull/932#issuecomment-2105634058
## [](https://sonarcloud.io/dashboard?id=apache_struts=932)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true)
 [90.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932)
Issue Time Tracking
---
Worklog Id: (was: 918914)
Time Spent: 1h 40m (was: 1.5h)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918913=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918913
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:18
Start Date: 11/May/24 08:18
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #932:
URL: https://github.com/apache/struts/pull/932#issuecomment-2105630541
## [](https://sonarcloud.io/dashboard?id=apache_struts=932)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932)
Issue Time Tracking
---
Worklog Id: (was: 918913)
Time Spent: 1.5h (was: 1h 20m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918912=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918912
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:18
Start Date: 11/May/24 08:18
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #932:
URL: https://github.com/apache/struts/pull/932#discussion_r1597396861
##
core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java:
##
@@ -61,11 +66,17 @@ public BackgroundProcess prepare() {
try {
beforeInvocation();
result = invocation.invokeActionOnly();
-afterInvocation();
} catch (Exception e) {
+LOG.warn("Exception during invokeActionOnly() execution",
e);
exception = e;
} finally {
- done = true;
+try {
+afterInvocation();
+} catch (Exception ex) {
+exception = ex;
Review Comment:
Right, let's keep it simple, I will set `exception` only if wasn't already
set
Issue Time Tracking
---
Worklog Id: (was: 918912)
Time Spent: 1h 20m (was: 1h 10m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918911=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918911
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:07
Start Date: 11/May/24 08:07
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #932:
URL: https://github.com/apache/struts/pull/932#discussion_r1597395216
##
core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java:
##
@@ -61,11 +66,17 @@ public BackgroundProcess prepare() {
try {
beforeInvocation();
result = invocation.invokeActionOnly();
-afterInvocation();
} catch (Exception e) {
+LOG.warn("Exception during invokeActionOnly() execution",
e);
exception = e;
} finally {
- done = true;
+try {
+afterInvocation();
+} catch (Exception ex) {
+exception = ex;
Review Comment:
If we're only going to record one, the first one is probably more relevant -
I'll let you make the call
Issue Time Tracking
---
Worklog Id: (was: 918911)
Time Spent: 1h 10m (was: 1h)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918910=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918910
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:05
Start Date: 11/May/24 08:05
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #932:
URL: https://github.com/apache/struts/pull/932#discussion_r1597394691
##
core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java:
##
@@ -61,11 +66,17 @@ public BackgroundProcess prepare() {
try {
beforeInvocation();
result = invocation.invokeActionOnly();
-afterInvocation();
} catch (Exception e) {
+LOG.warn("Exception during invokeActionOnly() execution",
e);
exception = e;
} finally {
- done = true;
+try {
+afterInvocation();
+} catch (Exception ex) {
+exception = ex;
Review Comment:
Yeah, I know, I thought about adding additional `afterException` and maybe
`beforeException` fields to keep this information
Issue Time Tracking
---
Worklog Id: (was: 918910)
Time Spent: 1h (was: 50m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918909=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918909
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:05
Start Date: 11/May/24 08:05
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #932:
URL: https://github.com/apache/struts/pull/932#discussion_r1597394691
##
core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java:
##
@@ -61,11 +66,17 @@ public BackgroundProcess prepare() {
try {
beforeInvocation();
result = invocation.invokeActionOnly();
-afterInvocation();
} catch (Exception e) {
+LOG.warn("Exception during invokeActionOnly() execution",
e);
exception = e;
} finally {
- done = true;
+try {
+afterInvocation();
+} catch (Exception ex) {
+exception = ex;
Review Comment:
Yeah, I know, after adding additional `afterException` and maybe
`beforeException` fields to keep this information
Issue Time Tracking
---
Worklog Id: (was: 918909)
Time Spent: 50m (was: 40m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918908=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918908
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 08:00
Start Date: 11/May/24 08:00
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #932:
URL: https://github.com/apache/struts/pull/932#discussion_r1597393073
##
core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java:
##
@@ -61,11 +66,17 @@ public BackgroundProcess prepare() {
try {
beforeInvocation();
result = invocation.invokeActionOnly();
-afterInvocation();
} catch (Exception e) {
+LOG.warn("Exception during invokeActionOnly() execution",
e);
exception = e;
} finally {
- done = true;
+try {
+afterInvocation();
+} catch (Exception ex) {
+exception = ex;
Review Comment:
Hmm what if `beforeInvocation()` already threw an exception, do we want to
overwrite that?
Issue Time Tracking
---
Worklog Id: (was: 918908)
Time Spent: 40m (was: 0.5h)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918905=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918905
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 07:40
Start Date: 11/May/24 07:40
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #932:
URL: https://github.com/apache/struts/pull/932#issuecomment-2105617974
## [](https://sonarcloud.io/dashboard?id=apache_struts=932)
**Quality Gate passed**
Issues
 [3 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932)
Issue Time Tracking
---
Worklog Id: (was: 918905)
Time Spent: 0.5h (was: 20m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918904=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918904
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 06:31
Start Date: 11/May/24 06:31
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #932:
URL: https://github.com/apache/struts/pull/932#issuecomment-2105593190
## [](https://sonarcloud.io/dashboard?id=apache_struts=932)
**Quality Gate failed**
Failed conditions
 [60.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list)
(required ≥ 80%)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932)
Issue Time Tracking
---
Worklog Id: (was: 918904)
Time Spent: 20m (was: 10m)
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Assignee: Lukasz Lenart
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[
https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918903=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918903
]
ASF GitHub Bot logged work on WW-5414:
--
Author: ASF GitHub Bot
Created on: 11/May/24 06:24
Start Date: 11/May/24 06:24
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #932:
URL: https://github.com/apache/struts/pull/932
Close [WW-5414](https://issues.apache.org/jira/browse/WW-5414)
Issue Time Tracking
---
Worklog Id: (was: 918903)
Remaining Estimate: 0h
Time Spent: 10m
> AfterInvocation of BackgroundProcess is not called when an exception occurs
> when using ExecuteAndWaitInterceptor
>
>
> Key: WW-5414
> URL: https://issues.apache.org/jira/browse/WW-5414
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 2.5.30, 6.3.0
>Reporter: Yukio Suzuki
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In my project, we are using Struts2.5.x and recently started using the
> ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden
> the beforeInvocation and afterInvocation methods to perform certain actions
> before and after the invocation of an action. However, we are facing a
> problem where afterInvocation is not called when an exception occurs. Here is
> the relevant code:
>
> {code:java}
> final Thread t = new Thread(new Runnable() {
> public void run() {
> try {
> beforeInvocation();
> result = invocation.invokeActionOnly();
> afterInvocation();
> } catch (Exception e) {
> exception = e;
> }
>
> done = true;
> }
> });
> {code}
> In the existing code, the beforeInvocation and afterInvocation methods set
> and clear the context, but it seems unintentional that the context is not
> cleared when an exception occurs.
> {code:java}
> protected void beforeInvocation() throws Exception {
> ActionContext.setContext(invocation.getInvocationContext());
> }
> protected void afterInvocation() throws Exception {
> ActionContext.setContext(null);
> }{code}
> One possible improvement is to modify the code as follows, ensuring that
> afterInvocation is called even when an exception occurs:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } finally {
> afterInvocation();
> }{code}
> Alternatively, if compatibility is a concern, you can add an
> afterInvocation(Throwable t) method and modify the code as follows:
> {code:java}
> beforeInvocation();
> try {
> result = invocation.invokeActionOnly();
> } catch (Throwable t) {
> afterInvocation(t);
> throw t;
> }
> afterInvocation();{code}
> Please consider these modifications to ensure that afterInvocation is called
> even when an exception occurs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918902=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918902
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 11/May/24 06:05
Start Date: 11/May/24 06:05
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #931:
URL: https://github.com/apache/struts/pull/931#issuecomment-2105584154
## [](https://sonarcloud.io/dashboard?id=apache_struts=931)
**Quality Gate failed**
Failed conditions
 [66.7% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list)
(required ≥ 80%)
 [8.5% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list)
(required ≤ 3%)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931)
Issue Time Tracking
---
Worklog Id: (was: 918902)
Time Spent: 0.5h (was: 20m)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918899=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918899
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 11/May/24 05:30
Start Date: 11/May/24 05:30
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #931:
URL: https://github.com/apache/struts/pull/931#issuecomment-2105570159
## [](https://sonarcloud.io/dashboard?id=apache_struts=931)
**Quality Gate failed**
Failed conditions
 [66.7% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list)
(required ≥ 80%)
 [9.8% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list)
(required ≤ 3%)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931)
Issue Time Tracking
---
Worklog Id: (was: 918899)
Time Spent: 20m (was: 10m)
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Assignee: Lukasz Lenart
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[
https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918898=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918898
]
ASF GitHub Bot logged work on WW-5422:
--
Author: ASF GitHub Bot
Created on: 11/May/24 05:24
Start Date: 11/May/24 05:24
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #931:
URL: https://github.com/apache/struts/pull/931
Fixes issue with trimable locale string
Closes [WW-5422](https://issues.apache.org/jira/browse/WW-5422)
Issue Time Tracking
---
Worklog Id: (was: 918898)
Remaining Estimate: 0h
Time Spent: 10m
> I18nInterceptor and invalid locale
> --
>
> Key: WW-5422
> URL: https://issues.apache.org/jira/browse/WW-5422
> Project: Struts 2
> Issue Type: Bug
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Andreas Sachs
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Exception if locale contains trimable characters:
>
> Eg Request:
> request_locale=de%0A
>
> Code from I18nInterceptor line 187:
>
> {code:java}
> if (localeProvider.isValidLocaleString(localeStr)) {
> locale = LocaleUtils.toLocale(localeStr);
> }{code}
>
> isValidLocaleString returns true because localeStr is trimmed inside function
> (
> locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) )
>
> but LocaleUtils.toLocale(localeStr) will throw an exception afterwards.
>
>
>
> {code:java}
>
> java.lang.IllegalArgumentException: Invalid locale format: de
> at
> org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348)
> ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0]
> at
> org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> at
> org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321)
> ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2]
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=918896=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918896 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/May/24 04:36 Start Date: 11/May/24 04:36 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #913: URL: https://github.com/apache/struts/pull/913 Issue Time Tracking --- Worklog Id: (was: 918896) Time Spent: 1.5h (was: 1h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=917859=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917859
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 06/May/24 16:20
Start Date: 06/May/24 16:20
Worklog Time Spent: 10m
Work Description: lukaszlenart merged PR #920:
URL: https://github.com/apache/struts/pull/920
Issue Time Tracking
---
Worklog Id: (was: 917859)
Time Spent: 1h 40m (was: 1.5h)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916792=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916792 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 29/Apr/24 04:24 Start Date: 29/Apr/24 04:24 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #924: URL: https://github.com/apache/struts/pull/924 Issue Time Tracking --- Worklog Id: (was: 916792) Time Spent: 0.5h (was: 20m) > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5421) Upgrade ASM to version 9.7
[ https://issues.apache.org/jira/browse/WW-5421?focusedWorklogId=916791=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916791 ] ASF GitHub Bot logged work on WW-5421: -- Author: ASF GitHub Bot Created on: 29/Apr/24 04:23 Start Date: 29/Apr/24 04:23 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #907: URL: https://github.com/apache/struts/pull/907 Issue Time Tracking --- Worklog Id: (was: 916791) Remaining Estimate: 0h Time Spent: 10m > Upgrade ASM to version 9.7 > -- > > Key: WW-5421 > URL: https://issues.apache.org/jira/browse/WW-5421 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=916761=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916761
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 28/Apr/24 14:41
Start Date: 28/Apr/24 14:41
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1582193457
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -54,8 +57,24 @@ public String intercept(ActionInvocation invocation) throws
Exception {
LOG.trace("Using CspSettings provided by the action: {}", action);
applySettings(invocation, ((CspSettingsAware)
action).getCspSettings());
} else {
-LOG.trace("Using DefaultCspSettings with action: {}", action);
-applySettings(invocation, new DefaultCspSettings());
+LOG.trace("Using {} with action: {}", defaultCspSettingsClassName,
action);
+
+// if the defaultCspSettingsClassName is not a real class, throw
an exception
+try {
+Class.forName(defaultCspSettingsClassName, false,
Thread.currentThread().getContextClassLoader());
+}
+catch (ClassNotFoundException e) {
+throw new IllegalArgumentException("The
defaultCspSettingsClassName must be a real class.");
+}
+
+// if defaultCspSettingsClassName does not implement CspSettings,
throw an exception
+if
(!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName)))
{
+throw new IllegalArgumentException("The
defaultCspSettingsClassName must implement CspSettings.");
+}
+
+CspSettings cspSettings = (CspSettings)
Class.forName(defaultCspSettingsClassName)
+.getDeclaredConstructor().newInstance();
+applySettings(invocation, cspSettings);
Review Comment:
I wonder if we can move this code into `init()` method of the interceptor as
right now a new instance is created per each invocation
Issue Time Tracking
---
Worklog Id: (was: 916761)
Time Spent: 1h 20m (was: 1h 10m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916324=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916324 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 25/Apr/24 06:33 Start Date: 25/Apr/24 06:33 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #924: URL: https://github.com/apache/struts/pull/924#issuecomment-2076467620 ## [](https://sonarcloud.io/dashboard?id=apache_struts=924) **Quality Gate failed** Failed conditions  [8 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=924=false=true)  [28.6% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=924=new_coverage=list) (required ≥ 80%)  [4.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=924=new_duplicated_lines_density=list) (required ≤ 3%)  [E Security Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=924) (required ≥ A)  [E Reliability Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=924) (required ≥ A) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=924) ##  Catch issues before they fail your Quality Gate with our IDE extension  [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request) Issue Time Tracking --- Worklog Id: (was: 916324) Time Spent: 20m (was: 10m) > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916323=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916323 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 25/Apr/24 06:25 Start Date: 25/Apr/24 06:25 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #924: URL: https://github.com/apache/struts/pull/924 Closes [WW-5420](https://issues.apache.org/jira/browse/WW-5420) Issue Time Tracking --- Worklog Id: (was: 916323) Remaining Estimate: 0h Time Spent: 10m > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916168=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916168
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 24/Apr/24 12:34
Start Date: 24/Apr/24 12:34
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on PR #919:
URL: https://github.com/apache/struts/pull/919#issuecomment-2074844610
I can roll a new Milestone release during the weekend
Issue Time Tracking
---
Worklog Id: (was: 916168)
Time Spent: 1h (was: 50m)
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916167=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916167
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 24/Apr/24 12:33
Start Date: 24/Apr/24 12:33
Worklog Time Spent: 10m
Work Description: kusalk merged PR #919:
URL: https://github.com/apache/struts/pull/919
Issue Time Tracking
---
Worklog Id: (was: 916167)
Time Spent: 50m (was: 40m)
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916166=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916166
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 24/Apr/24 12:30
Start Date: 24/Apr/24 12:30
Worklog Time Spent: 10m
Work Description: kusalk commented on PR #919:
URL: https://github.com/apache/struts/pull/919#issuecomment-2074837079
Feedback on the next milestone will be interesting, let's see how we go!
Issue Time Tracking
---
Worklog Id: (was: 916166)
Time Spent: 40m (was: 0.5h)
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915950=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915950
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 23/Apr/24 05:32
Start Date: 23/Apr/24 05:32
Worklog Time Spent: 10m
Work Description: kusalk merged PR #234:
URL: https://github.com/apache/struts-site/pull/234
Issue Time Tracking
---
Worklog Id: (was: 915950)
Time Spent: 2h 50m (was: 2h 40m)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915905=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915905
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 22/Apr/24 21:35
Start Date: 22/Apr/24 21:35
Worklog Time Spent: 10m
Work Description: asf-ci commented on PR #234:
URL: https://github.com/apache/struts-site/pull/234#issuecomment-2070992717
Staged site is ready at https://struts.staged.apache.org/
Issue Time Tracking
---
Worklog Id: (was: 915905)
Time Spent: 2h 40m (was: 2.5h)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915771=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915771
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 22/Apr/24 09:19
Start Date: 22/Apr/24 09:19
Worklog Time Spent: 10m
Work Description: gregh3269 commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2068902244
Looks ok (for webapp/WEB-INF/*tiles*.xml)
Issue Time Tracking
---
Worklog Id: (was: 915771)
Time Spent: 1.5h (was: 1h 20m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915741=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915741
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 22/Apr/24 04:56
Start Date: 22/Apr/24 04:56
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2068488890
## [](https://sonarcloud.io/dashboard?id=apache_struts=920)
**Quality Gate passed**
Issues
 [2 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920)
Issue Time Tracking
---
Worklog Id: (was: 915741)
Time Spent: 1h 20m (was: 1h 10m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915740=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915740
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 22/Apr/24 04:50
Start Date: 22/Apr/24 04:50
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #920:
URL: https://github.com/apache/struts/pull/920#discussion_r1574120929
##
plugins/tiles/src/main/java/org/apache/struts2/tiles/StrutsTilesContainerFactory.java:
##
@@ -105,19 +102,8 @@ public class StrutsTilesContainerFactory extends
BasicTilesContainerFactory {
/**
* Default pattern to be used to collect Tiles definitions if user didn't
configure any
- *
- * @deprecated since Struts 6.4.0, use {@link #TILES_DEFAULT_PATTERNS}
instead
*/
-@Deprecated
-public static final String TILES_DEFAULT_PATTERN =
"/WEB-INF/**/tiles*.xml,classpath*:META-INF/**/tiles*.xml";
-
-/**
- * Default pattern to be used to collect Tiles definitions if user didn't
configure any
- */
-public static final Set TILES_DEFAULT_PATTERNS =
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
Review Comment:
Right, fixed
Issue Time Tracking
---
Worklog Id: (was: 915740)
Time Spent: 1h 10m (was: 1h)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915738=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915738
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 22/Apr/24 04:04
Start Date: 22/Apr/24 04:04
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #920:
URL: https://github.com/apache/struts/pull/920#discussion_r1574096815
##
plugins/tiles/src/main/java/org/apache/struts2/tiles/StrutsTilesContainerFactory.java:
##
@@ -105,19 +102,8 @@ public class StrutsTilesContainerFactory extends
BasicTilesContainerFactory {
/**
* Default pattern to be used to collect Tiles definitions if user didn't
configure any
- *
- * @deprecated since Struts 6.4.0, use {@link #TILES_DEFAULT_PATTERNS}
instead
*/
-@Deprecated
-public static final String TILES_DEFAULT_PATTERN =
"/WEB-INF/**/tiles*.xml,classpath*:META-INF/**/tiles*.xml";
-
-/**
- * Default pattern to be used to collect Tiles definitions if user didn't
configure any
- */
-public static final Set TILES_DEFAULT_PATTERNS =
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
Review Comment:
Technically you need to deprecate this since it's been released in 6.4.0.
But also there's no need to create the set anew each time below. You can just
keep this field as is and update the value like so:
```public static final Set TILES_DEFAULT_PATTERNS =
TextParseUtil.commaDelimitedStringToSet("*tiles*.xml");```
Issue Time Tracking
---
Worklog Id: (was: 915738)
Time Spent: 1h (was: 50m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915700=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915700
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 21/Apr/24 12:17
Start Date: 21/Apr/24 12:17
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2068023444
## [](https://sonarcloud.io/dashboard?id=apache_struts=920)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920)
Issue Time Tracking
---
Worklog Id: (was: 915700)
Time Spent: 50m (was: 40m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915699=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915699
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 21/Apr/24 11:49
Start Date: 21/Apr/24 11:49
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2068015616
## [](https://sonarcloud.io/dashboard?id=apache_struts=920)
**Quality Gate passed**
Issues
 [1 New
issue](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true)
 [100.0% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920)
Issue Time Tracking
---
Worklog Id: (was: 915699)
Time Spent: 40m (was: 0.5h)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915696=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915696
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 21/Apr/24 08:51
Start Date: 21/Apr/24 08:51
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2067965128
## [](https://sonarcloud.io/dashboard?id=apache_struts=920)
**Quality Gate failed**
Failed conditions
 [8 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true)
 [28.6% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list)
(required ≥ 80%)
 [4.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list)
(required ≤ 3%)
 [E Reliability Rating on New
Code](https://sonarcloud.io/dashboard?id=apache_struts=920)
(required ≥ A)
 [E Security Rating on New
Code](https://sonarcloud.io/dashboard?id=apache_struts=920)
(required ≥ A)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920)
##
 Catch issues before they fail your Quality Gate with our IDE extension
[SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request)
Issue Time Tracking
---
Worklog Id: (was: 915696)
Time Spent: 0.5h (was: 20m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915695=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915695
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 21/Apr/24 08:44
Start Date: 21/Apr/24 08:44
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on PR #920:
URL: https://github.com/apache/struts/pull/920#issuecomment-2067963221
/cc: @gregh3269
Issue Time Tracking
---
Worklog Id: (was: 915695)
Time Spent: 20m (was: 10m)
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[
https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915694=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915694
]
ASF GitHub Bot logged work on WW-5419:
--
Author: ASF GitHub Bot
Created on: 21/Apr/24 08:43
Start Date: 21/Apr/24 08:43
Worklog Time Spent: 10m
Work Description: lukaszlenart opened a new pull request, #920:
URL: https://github.com/apache/struts/pull/920
Closes [WW-5419](https://issues.apache.org/jira/browse/WW-5419)
Issue Time Tracking
---
Worklog Id: (was: 915694)
Remaining Estimate: 0h
Time Spent: 10m
> Autoloading of tiles.xml fails in Struts-6.4.0
> --
>
> Key: WW-5419
> URL: https://issues.apache.org/jira/browse/WW-5419
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Tiles
>Affects Versions: 6.4.0
>Reporter: Markus Fischer
>Assignee: Lukasz Lenart
>Priority: Blocker
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found
> automatically anymore. The problem arises only, if the definition in web.xml
> contains no param section:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
> {code}
>
> The workaround is to specify the specific location:
> {code:xml}
>
>
> org.apache.struts2.tiles.StrutsTilesListener
>
>
>
> org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG
>
> /WEB-INF/tiles.xml
>
>
> {code}
>
> The issue has been introduced by this
> [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915687=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915687
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 20/Apr/24 21:38
Start Date: 20/Apr/24 21:38
Worklog Time Spent: 10m
Work Description: asf-ci commented on PR #234:
URL: https://github.com/apache/struts-site/pull/234#issuecomment-2067788162
Staged site is ready at https://struts.staged.apache.org/
Issue Time Tracking
---
Worklog Id: (was: 915687)
Time Spent: 2.5h (was: 2h 20m)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915667=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915667
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 20/Apr/24 12:39
Start Date: 20/Apr/24 12:39
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #919:
URL: https://github.com/apache/struts/pull/919#issuecomment-2067661329
## [](https://sonarcloud.io/dashboard?id=apache_struts=919)
**Quality Gate failed**
Failed conditions
 [76.9% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=919=new_coverage=list)
(required ≥ 80%)
 [C Reliability Rating on New
Code](https://sonarcloud.io/dashboard?id=apache_struts=919)
(required ≥ A)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=919)
##
 Catch issues before they fail your Quality Gate with our IDE extension
[SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request)
Issue Time Tracking
---
Worklog Id: (was: 915667)
Time Spent: 0.5h (was: 20m)
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915663=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915663
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 20/Apr/24 12:00
Start Date: 20/Apr/24 12:00
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #919:
URL: https://github.com/apache/struts/pull/919#discussion_r1573262299
##
core/src/main/java/org/apache/struts2/util/StrutsTestCaseHelper.java:
##
@@ -22,23 +22,26 @@
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.ValueStackFactory;
-import org.apache.struts2.dispatcher.Dispatcher;
-import org.apache.struts2.dispatcher.DispatcherErrorHandler;
-
import jakarta.servlet.ServletContext;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
+import org.apache.struts2.dispatcher.Dispatcher;
+import org.apache.struts2.dispatcher.DispatcherErrorHandler;
+
+import java.util.HashMap;
import java.util.Map;
-import static java.util.Collections.emptyMap;
+import static org.apache.struts2.StrutsConstants.STRUTS_ALLOWLIST_ENABLE;
/**
* Generic test setup methods to be used with any unit testing framework.
*/
public class StrutsTestCaseHelper {
public static Dispatcher initDispatcher(ServletContext ctx, Map params) {
-Dispatcher du = new DispatcherWrapper(ctx, params != null ? params :
emptyMap());
+var finalParams = new HashMap<>(params);
+finalParams.putIfAbsent(STRUTS_ALLOWLIST_ENABLE, "false");
Review Comment:
I think it makes sense to keep the allowlist disabled for unit tests as the
auto-allowlisting is only effective in production applications
Issue Time Tracking
---
Worklog Id: (was: 915663)
Time Spent: 20m (was: 10m)
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[
https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915660=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915660
]
ASF GitHub Bot logged work on WW-5353:
--
Author: ASF GitHub Bot
Created on: 20/Apr/24 11:09
Start Date: 20/Apr/24 11:09
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #919:
URL: https://github.com/apache/struts/pull/919
WW-5353
--
Issue Time Tracking
---
Worklog Id: (was: 915660)
Remaining Estimate: 0h
Time Spent: 10m
> Implement stronger security defaults in Struts 7.0
> --
>
> Key: WW-5353
> URL: https://issues.apache.org/jira/browse/WW-5353
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Kusal Kithul-Godage
>Priority: Major
> Fix For: 7.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{struts.ognl.allowStaticFieldAccess=false}}
> {{struts.ognl.excludedNodeTypes=}}
> {{struts.ognl.expressionMaxLength=150}}
> {{struts.disallowDefaultPackageAccess=true}}
> {{struts.disallowProxyMemberAccess=true}}
> {{struts.parameters.requireAnnotations=true}}
> {{struts.ognl.disallowCustomOgnlMap=true}}
> {{struts.allowlist.enable=true}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915657=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915657 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 20/Apr/24 10:01 Start Date: 20/Apr/24 10:01 Worklog Time Spent: 10m Work Description: kusalk merged PR #916: URL: https://github.com/apache/struts/pull/916 Issue Time Tracking --- Worklog Id: (was: 915657) Time Spent: 40m (was: 0.5h) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Critical > Labels: security > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > This change includes: > - Forbid accessign enums > - Exclude Tomcat Jasper classes -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915480=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915480 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 07:47 Start Date: 19/Apr/24 07:47 Worklog Time Spent: 10m Work Description: kusalk merged PR #915: URL: https://github.com/apache/struts/pull/915 Issue Time Tracking --- Worklog Id: (was: 915480) Time Spent: 1h 50m (was: 1h 40m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=915479=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915479
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 19/Apr/24 07:47
Start Date: 19/Apr/24 07:47
Worklog Time Spent: 10m
Work Description: kusalk merged PR #914:
URL: https://github.com/apache/struts/pull/914
Issue Time Tracking
---
Worklog Id: (was: 915479)
Time Spent: 1h 10m (was: 1h)
> Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915455=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915455 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 19/Apr/24 06:14 Start Date: 19/Apr/24 06:14 Worklog Time Spent: 10m Work Description: kusalk commented on PR #916: URL: https://github.com/apache/struts/pull/916#issuecomment-2065832941 It is indeed - but I think the security benefits should come first in this scenario Issue Time Tracking --- Worklog Id: (was: 915455) Time Spent: 0.5h (was: 20m) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915441=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915441 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794179 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.5 Review Comment: @lukaszlenart updated with 3.3.5. Thanks Issue Time Tracking --- Worklog Id: (was: 915441) Time Spent: 1.5h (was: 1h 20m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915442=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915442 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794402 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Updated. Thanks Issue Time Tracking --- Worklog Id: (was: 915442) Time Spent: 1h 40m (was: 1.5h) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915438=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915438 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:55 Start Date: 19/Apr/24 04:55 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571790904 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Try you to use 3.3.5 verision Issue Time Tracking --- Worklog Id: (was: 915438) Time Spent: 1h 20m (was: 1h 10m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[
https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915415=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915415
]
ASF GitHub Bot logged work on WW-5406:
--
Author: ASF GitHub Bot
Created on: 18/Apr/24 22:37
Start Date: 18/Apr/24 22:37
Worklog Time Spent: 10m
Work Description: kusalk merged PR #917:
URL: https://github.com/apache/struts/pull/917
Issue Time Tracking
---
Worklog Id: (was: 915415)
Time Spent: 2h 50m (was: 2h 40m)
> Action excluded patterns are not updated following a configuration reload
> -
>
> Key: WW-5406
> URL: https://issues.apache.org/jira/browse/WW-5406
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> If {{struts.action.excludePattern}} or
> {{struts.action.excludePattern.separator}} are updated during runtime, the
> changes are not reflected in the application behaviour due to these constants
> only being read exactly once. This is not consistent with all other
> configuration which is re-injected following a configuration reload.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[
https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915303=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915303
]
ASF GitHub Bot logged work on WW-5406:
--
Author: ASF GitHub Bot
Created on: 18/Apr/24 12:35
Start Date: 18/Apr/24 12:35
Worklog Time Spent: 10m
Work Description: sonarcloud[bot] commented on PR #917:
URL: https://github.com/apache/struts/pull/917#issuecomment-2063764420
## [](https://sonarcloud.io/dashboard?id=apache_struts=917)
**Quality Gate passed**
Issues
 [0 New
issues](https://sonarcloud.io/project/issues?id=apache_struts=917=false=true)
 [0 Accepted
issues](https://sonarcloud.io/component_measures?id=apache_struts=917=new_accepted_issues=list)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=917=false=true)
 [94.1% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_coverage=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_duplicated_lines_density=list)
[See analysis details on
SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=917)
Issue Time Tracking
---
Worklog Id: (was: 915303)
Time Spent: 2h 40m (was: 2.5h)
> Action excluded patterns are not updated following a configuration reload
> -
>
> Key: WW-5406
> URL: https://issues.apache.org/jira/browse/WW-5406
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> If {{struts.action.excludePattern}} or
> {{struts.action.excludePattern.separator}} are updated during runtime, the
> changes are not reflected in the application behaviour due to these constants
> only being read exactly once. This is not consistent with all other
> configuration which is re-injected following a configuration reload.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[
https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915302=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915302
]
ASF GitHub Bot logged work on WW-5406:
--
Author: ASF GitHub Bot
Created on: 18/Apr/24 12:30
Start Date: 18/Apr/24 12:30
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #917:
URL: https://github.com/apache/struts/pull/917
WW-5406
--
Fixing a minor bug I introduced with #910
Issue Time Tracking
---
Worklog Id: (was: 915302)
Time Spent: 2.5h (was: 2h 20m)
> Action excluded patterns are not updated following a configuration reload
> -
>
> Key: WW-5406
> URL: https://issues.apache.org/jira/browse/WW-5406
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> If {{struts.action.excludePattern}} or
> {{struts.action.excludePattern.separator}} are updated during runtime, the
> changes are not reflected in the application behaviour due to these constants
> only being read exactly once. This is not consistent with all other
> configuration which is re-injected following a configuration reload.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915219=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915219 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:24 Start Date: 18/Apr/24 01:24 Worklog Time Spent: 10m Work Description: kusalk commented on PR #915: URL: https://github.com/apache/struts/pull/915#issuecomment-2062827501 The builds are failing as the Atlassian forked release is not on the Central repo, it is only available on [our repo](https://packages.atlassian.com/maven-external/ognl/ognl/3.3.4-atlassian-1/). Anyway, this PR is just preparing for the merge and release of the corresponding OGNL PR (https://github.com/orphan-oss/ognl/pull/264) Issue Time Tracking --- Worklog Id: (was: 915219) Time Spent: 1h 10m (was: 1h) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915217=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915217 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:20 Start Date: 18/Apr/24 01:20 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #916: URL: https://github.com/apache/struts/pull/916#issuecomment-2062821751 ## [](https://sonarcloud.io/dashboard?id=apache_struts=916) **Quality Gate passed** Issues  [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=916=false=true)  [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=916=new_accepted_issues=list) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=916=false=true)  No data about Coverage  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=916=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=916) Issue Time Tracking --- Worklog Id: (was: 915217) Time Spent: 20m (was: 10m) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915218=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915218 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:20 Start Date: 18/Apr/24 01:20 Worklog Time Spent: 10m Work Description: kusalk commented on PR #915: URL: https://github.com/apache/struts/pull/915#issuecomment-2062822004 Remaining tests are variations for full coverage and to prevent regressions Issue Time Tracking --- Worklog Id: (was: 915218) Time Spent: 1h (was: 50m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[
https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915216=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915216
]
ASF GitHub Bot logged work on WW-5417:
--
Author: ASF GitHub Bot
Created on: 18/Apr/24 01:20
Start Date: 18/Apr/24 01:20
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #915:
URL: https://github.com/apache/struts/pull/915#discussion_r1569763288
##
core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java:
##
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.ognl;
+
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.ognl.OgnlValueStack;
+import com.opensymphony.xwork2.util.ValueStackFactory;
+import ognl.OgnlRuntime;
+import org.apache.struts2.StrutsConstants;
+
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertNotEquals;
+
+public class OgnlSetPossiblePropertyTest extends XWorkTestCase {
+private OgnlValueStack vs;
+
+public T setUpClass(Class holderClass) throws Exception {
+Map properties = new HashMap<>();
+properties.put(StrutsConstants.STRUTS_EXCLUDED_CLASSES,
holderClass.getName() + "$ExcludedField");
+loadButSet(properties);
+vs = (OgnlValueStack)
container.getInstance(ValueStackFactory.class).createValueStack();
+
+T nonExcludedHolder =
holderClass.getDeclaredConstructor().newInstance();
+vs.push(nonExcludedHolder);
+
+return nonExcludedHolder;
+}
+
+public void
testSetFieldValueDontAssignWhenHolderClassAndFieldClassHaveOnlyPublicFields()
throws Exception {
+/* Case: to test setFieldValue without having set method
+ *
+ * NonExcludedHolder class
+ * - field: public
+ * ExcludeField class
+ * - field: public
+ */
+HolderWithPublicField holder = setUpClass(HolderWithPublicField.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetMethodValueDontAssignWhenHolderAndFieldClassWithPublicMethodsAndPrivateFields()
throws Exception {
+/* Case: to test setMethodValue, so to make fields as private
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: private
+ * - method: public
+ */
+HolderWithPublicMethod holder =
setUpClass(HolderWithPublicMethod.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetFieldValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicField()
throws Exception {
+/* Case: to test setFieldValue when holder get method is public and
field class set method is private so fallback to set field
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: public
+ * - method: private
+ */
+HolderWhoseFieldWithPrivateMethod holder =
setUpClass(HolderWhoseFieldWithPrivateMethod.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetMethodValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicMethod()
throws Exception {
+/* Case: to test setMethodValue when holder get method is public and
field class field is private so only call to set method
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: private
+ * - method: public
+ */
+HolderWhoseFieldWithPublicMethod
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[
https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915215=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915215
]
ASF GitHub Bot logged work on WW-5417:
--
Author: ASF GitHub Bot
Created on: 18/Apr/24 01:19
Start Date: 18/Apr/24 01:19
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #915:
URL: https://github.com/apache/struts/pull/915#discussion_r1569762650
##
core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java:
##
@@ -0,0 +1,240 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.ognl;
+
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.ognl.OgnlValueStack;
+import com.opensymphony.xwork2.util.ValueStackFactory;
+import ognl.OgnlRuntime;
+import org.apache.struts2.StrutsConstants;
+
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertNotEquals;
+
+public class OgnlSetPossiblePropertyTest extends XWorkTestCase {
+private OgnlValueStack vs;
+
+public T setUpClass(Class holderClass) throws Exception {
+Map properties = new HashMap<>();
+properties.put(StrutsConstants.STRUTS_EXCLUDED_CLASSES,
holderClass.getName() + "$ExcludedField");
+loadButSet(properties);
+vs = (OgnlValueStack)
container.getInstance(ValueStackFactory.class).createValueStack();
+
+T nonExcludedHolder =
holderClass.getDeclaredConstructor().newInstance();
+vs.push(nonExcludedHolder);
+
+return nonExcludedHolder;
+}
+
+public void
testSetFieldValueDontAssignWhenHolderClassAndFieldClassHaveOnlyPublicFields()
throws Exception {
+/* Case: to test setFieldValue without having set method
+ *
+ * NonExcludedHolder class
+ * - field: public
+ * ExcludeField class
+ * - field: public
+ */
+HolderWithPublicField holder = setUpClass(HolderWithPublicField.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetMethodValueDontAssignWhenHolderAndFieldClassWithPublicMethodsAndPrivateFields()
throws Exception {
+/* Case: to test setMethodValue, so to make fields as private
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: private
+ * - method: public
+ */
+HolderWithPublicMethod holder =
setUpClass(HolderWithPublicMethod.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetFieldValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicField()
throws Exception {
+/* Case: to test setFieldValue when holder get method is public and
field class set method is private so fallback to set field
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: public
+ * - method: private
+ */
+HolderWhoseFieldWithPrivateMethod holder =
setUpClass(HolderWhoseFieldWithPrivateMethod.class);
+vs.setValue("excludedField.excludedFieldString", "EXPLOITED");
+
+assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString);
+}
+
+public void
testSetMethodValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicMethod()
throws Exception {
+/* Case: to test setMethodValue when holder get method is public and
field class field is private so only call to set method
+ *
+ * NonExcludedHolder class
+ * - field: private
+ * - method: public
+ * ExcludeField class
+ * - field: private
+ * - method: public
+ */
+HolderWhoseFieldWithPublicMethod
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915214=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915214 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:15 Start Date: 18/Apr/24 01:15 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569753380 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: To be replaced with 3.3.5 once released [OGNL patch PR](https://github.com/orphan-oss/ognl/pull/264) Issue Time Tracking --- Worklog Id: (was: 915214) Time Spent: 0.5h (was: 20m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915213=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915213 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:14 Start Date: 18/Apr/24 01:14 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #916: URL: https://github.com/apache/struts/pull/916 WW-5418 -- Issue Time Tracking --- Worklog Id: (was: 915213) Remaining Estimate: 0h Time Spent: 10m > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915212=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915212 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:08 Start Date: 18/Apr/24 01:08 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569753380 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: To be replaced with 3.3.5 once released [OGNL patch PR](https://github.com/orphan-oss/ognl/pull/263) Issue Time Tracking --- Worklog Id: (was: 915212) Time Spent: 20m (was: 10m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915211=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915211 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:06 Start Date: 18/Apr/24 01:06 Worklog Time Spent: 10m Work Description: jefferyxhy opened a new pull request, #915: URL: https://github.com/apache/struts/pull/915 WW-5417 bump the Ognl version to fix the security issue that `ObjectPropertyAccessor#setPossibleProperty` bypass SecurityMemberAccess right check. *** From [Ognl PR](https://github.com/orphan-oss/ognl/pull/263) *** `OgnlRuntime.setFieldValue` doesn't check member access rights via `MemberAccess` interface **Reason** * Investigation shows that `getMethodValue`/ `setMethodValue` / `getFieldValue` are all updated with member access rights check but not `setFieldValue`, which cause `ObjectPropertyAccessor#setPossibleProperty` expose to security vuln. * `ObjectPropertyAccessor#setPossibleProperty` has a fallback mechanism using `getWriteMethod` which also lack member access rights check **Changes/ Solution** * add field member access check to `OgnlRuntime#setFieldValue` that is controlled by parameter `checkAccessAndExistence` * add method member access check to `ObjectPropertyAccessor#setPossibleProperty` code block that uses `OgnlRuntime#getWriteMethod` **Result & Impact** now `ObjectPropertyAccessor#setPossibleProperty` will also check member access rights when fallback to use: * OgnlRuntime.setFieldValue * method invoke that is from OgnlRuntime.getWriteMethod Issue Time Tracking --- Worklog Id: (was: 915211) Remaining Estimate: 0h Time Spent: 10m > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914447=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914447
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 17:42
Start Date: 12/Apr/24 17:42
Worklog Time Spent: 10m
Work Description: eschulma commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562942223
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java:
##
@@ -56,6 +57,11 @@ public interface CspSettings {
*/
void setReportUri(String uri);
+/**
+ * Sets the report group where csp violation reports will be sent
+ */
Review Comment:
Done
Issue Time Tracking
---
Worklog Id: (was: 914447)
Time Spent: 1h 10m (was: 1h)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914446=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914446
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 17:41
Start Date: 12/Apr/24 17:41
Worklog Time Spent: 10m
Work Description: eschulma commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562941786
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
Review Comment:
Done
Issue Time Tracking
---
Worklog Id: (was: 914446)
Time Spent: 1h (was: 50m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914383=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914383
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 10:40
Start Date: 12/Apr/24 10:40
Worklog Time Spent: 10m
Work Description: asf-ci commented on PR #234:
URL: https://github.com/apache/struts-site/pull/234#issuecomment-2051510850
Staged site is ready at https://struts.staged.apache.org/
Issue Time Tracking
---
Worklog Id: (was: 914383)
Time Spent: 2h 20m (was: 2h 10m)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914381=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914381
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 10:36
Start Date: 12/Apr/24 10:36
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #234:
URL: https://github.com/apache/struts-site/pull/234#discussion_r1562373763
##
source/security/index.md:
##
@@ -433,10 +433,16 @@ with other known dangerous classes or packages in your
application.
We additionally recommend enabling the following options (enabled by default
in 7.0).
- * `struts.ognl.allowStaticFieldAccess=false` - static methods are always
blocked, but static fields can also optionally be blocked
- * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from
being used in OGNL expressions as they may present a security risk
Review Comment:
I think it's best we push developers to use
`struts.disallowProxyObjectAccess` rather than
`struts.disallowProxyMemberAccess`
Issue Time Tracking
---
Worklog Id: (was: 914381)
Time Spent: 2h 10m (was: 2h)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914380=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914380
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 10:36
Start Date: 12/Apr/24 10:36
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #234:
URL: https://github.com/apache/struts-site/pull/234
WW-5407 WW-5408
--
Issue Time Tracking
---
Worklog Id: (was: 914380)
Time Spent: 2h (was: 1h 50m)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914352=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914352
]
ASF GitHub Bot logged work on WW-5408:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 07:58
Start Date: 12/Apr/24 07:58
Worklog Time Spent: 10m
Work Description: kusalk merged PR #912:
URL: https://github.com/apache/struts/pull/912
Issue Time Tracking
---
Worklog Id: (was: 914352)
Time Spent: 1h 40m (was: 1.5h)
> Add option to NOT fallback to empty namespace when unresolved
> -
>
> Key: WW-5408
> URL: https://issues.apache.org/jira/browse/WW-5408
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a
> developer only expects their Action to be accessible at a very specific URL.
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this
> behaviour, so I propose we add one.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914325=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914325
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 06:06
Start Date: 12/Apr/24 06:06
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1562054799
##
core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java:
##
@@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends
XmlConfigurationProvider {
put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN",
"struts-2.3.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN",
"struts-2.5.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN",
"struts-6.0.dtd");
+put("-//Apache Software Foundation//DTD Struts Configuration
6.5.0//EN", "struts-6.5.0.dtd");
Review Comment:
Yeah. It make sense. I've updated the naming accordingly. Thanks.
Issue Time Tracking
---
Worklog Id: (was: 914325)
Time Spent: 1h (was: 50m)
> Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914324=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914324
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 05:43
Start Date: 12/Apr/24 05:43
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1562038780
##
core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java:
##
@@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends
XmlConfigurationProvider {
put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN",
"struts-2.3.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN",
"struts-2.5.dtd");
put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN",
"struts-6.0.dtd");
+put("-//Apache Software Foundation//DTD Struts Configuration
6.5.0//EN", "struts-6.5.0.dtd");
Review Comment:
I would keep two digits pattern as such changes cannot be introduced with
`PATCH` version anyway. So instead of
```java
put("-//Apache Software Foundation//DTD Struts Configuration 6.5.0//EN",
"struts-6.5.0.dtd")
```
use
```java
put("-//Apache Software Foundation//DTD Struts Configuration 6.5//EN",
"struts-6.5.dtd")
```
and rename the corresponding file.
---
What do you think? does it make sense?
Issue Time Tracking
---
Worklog Id: (was: 914324)
Time Spent: 50m (was: 40m)
> Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[
https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914318=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914318
]
ASF GitHub Bot logged work on WW-5400:
--
Author: ASF GitHub Bot
Created on: 12/Apr/24 05:34
Start Date: 12/Apr/24 05:34
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #913:
URL: https://github.com/apache/struts/pull/913#discussion_r1562033229
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
+public void setDefaultCspSettingsClassName(String
defaultCspSettingsClassName) {
+this.defaultCspSettingsClassName = defaultCspSettingsClassName;
+}
Review Comment:
You can use Struts inject mechanism instead of using raw class and creating
the instance by yourself. It's all about defining a `` and then annotating the setter with
`@Inject("customCspSettings")`.
I assume you never played with Struts @Inject, so let's leave it as is and I
will change that in the next PR.
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java:
##
@@ -124,4 +153,11 @@ public void setPrependServletContext(boolean
prependServletContext) {
this.prependServletContext = prependServletContext;
}
-}
+/**
+ * Sets the class name of the default {@link CspSettings} implementation
to use when the action does not
+ * set its own values. If not set, the default is {@link
DefaultCspSettings}.
+ */
Review Comment:
Please add `@since Struts 6.5.0`
[annotation](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since)
##
core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java:
##
@@ -56,6 +57,11 @@ public interface CspSettings {
*/
void setReportUri(String uri);
+/**
+ * Sets the report group where csp violation reports will be sent
+ */
Review Comment:
Could you add [@since Struts
6.5.0](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since)?
Issue Time Tracking
---
Worklog Id: (was: 914318)
Time Spent: 50m (was: 40m)
> CSP interceptor only allows very limited configuration
> --
>
> Key: WW-5400
> URL: https://issues.apache.org/jira/browse/WW-5400
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
>Affects Versions: 6.3.0
>Reporter: Erica Kane
>Priority: Major
> Fix For: 6.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> I have been trying to implement CSP on our website. The CSP interceptor
> provides an elegant solution with the and tags. However,
> I want to set my own base-uri. And perhaps make some other changes to the CSP
> headers.
> But these values are not accessible. Only the report-only and report-uri can
> be changed. Even if one is willing to work at the Action level and implement
> a new interface for all of them, I can't change the base-uri. I've seen
> people on Stack Overflow disable it for this reason. I want to use it, but
> could someone please explain how to set the base-uri globally? If not, I will
> likely have to make my own.
> P.S. I will update the documentation page. Nowhere in the description of the
> interceptor does it mention the script and link tags, and without those, it
> is useless!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914281=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914281 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 21:01 Start Date: 11/Apr/24 21:01 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050535381 Ok all good. Issue Time Tracking --- Worklog Id: (was: 914281) Time Spent: 40m (was: 0.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914267=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914267 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 18:53 Start Date: 11/Apr/24 18:53 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050317405 Hold off a bit, I need to check something (this is what I get for implementing my own separate solution) Issue Time Tracking --- Worklog Id: (was: 914267) Time Spent: 0.5h (was: 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914207=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914207 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 15:03 Start Date: 11/Apr/24 15:03 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2049907568 @lukaszlenart submitted per your request Issue Time Tracking --- Worklog Id: (was: 914207) Time Spent: 20m (was: 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914122=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914122
]
ASF GitHub Bot logged work on WW-5407:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 09:16
Start Date: 11/Apr/24 09:16
Worklog Time Spent: 10m
Work Description: kusalk merged PR #911:
URL: https://github.com/apache/struts/pull/911
Issue Time Tracking
---
Worklog Id: (was: 914122)
Time Spent: 1h 50m (was: 1h 40m)
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
>
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914085=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914085
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 05:09
Start Date: 11/Apr/24 05:09
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1560440790
##
core/src/main/resources/struts-6.4.0.dtd:
##
@@ -0,0 +1,158 @@
+
+
+ Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914084=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914084
]
ASF GitHub Bot logged work on WW-5408:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 04:59
Start Date: 11/Apr/24 04:59
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #912:
URL: https://github.com/apache/struts/pull/912#discussion_r1560435674
##
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##
@@ -583,11 +590,10 @@ public ActionConfig getActionConfig(String namespace,
String name) {
}
// fail over to empty namespace
-if (config == null && StringUtils.isNotBlank(namespace)) {
+if (config == null && StringUtils.isNotBlank(namespace) &&
("/".equals(namespace) || fallbackToEmptyNamespace)) {
Review Comment:
Done. Thanks
##
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##
@@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration
buildRuntimeConfiguration() throws C
boolean appendNamedParameters = Boolean.parseBoolean(
container.getInstance(String.class,
StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS)
);
+boolean fallbackToEmptyNamespace = Boolean.parseBoolean(
+Optional.ofNullable(container.getInstance(String.class,
StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true")
Review Comment:
Updated. Thanks
Issue Time Tracking
---
Worklog Id: (was: 914084)
Time Spent: 1.5h (was: 1h 20m)
> Add option to NOT fallback to empty namespace when unresolved
> -
>
> Key: WW-5408
> URL: https://issues.apache.org/jira/browse/WW-5408
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a
> developer only expects their Action to be accessible at a very specific URL.
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this
> behaviour, so I propose we add one.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914081=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914081
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 04:43
Start Date: 11/Apr/24 04:43
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1560427870
##
core/src/main/resources/struts-6.4.0.dtd:
##
@@ -0,0 +1,158 @@
+
+
+ Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914080=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914080
]
ASF GitHub Bot logged work on WW-5408:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 04:40
Start Date: 11/Apr/24 04:40
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #912:
URL: https://github.com/apache/struts/pull/912#discussion_r1560426064
##
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##
@@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration
buildRuntimeConfiguration() throws C
boolean appendNamedParameters = Boolean.parseBoolean(
container.getInstance(String.class,
StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS)
);
+boolean fallbackToEmptyNamespace = Boolean.parseBoolean(
+Optional.ofNullable(container.getInstance(String.class,
StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true")
Review Comment:
Understood, yet `default.properties` is used as a documentation by users so
I would define the constant there with short description and keep fallback to
`true` as above
Issue Time Tracking
---
Worklog Id: (was: 914080)
Time Spent: 1h 20m (was: 1h 10m)
> Add option to NOT fallback to empty namespace when unresolved
> -
>
> Key: WW-5408
> URL: https://issues.apache.org/jira/browse/WW-5408
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a
> developer only expects their Action to be accessible at a very specific URL.
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this
> behaviour, so I propose we add one.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914077=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914077
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 04:34
Start Date: 11/Apr/24 04:34
Worklog Time Spent: 10m
Work Description: jefferyxhy commented on code in PR #914:
URL: https://github.com/apache/struts/pull/914#discussion_r1560423741
##
core/src/main/resources/struts-6.4.0.dtd:
##
@@ -0,0 +1,158 @@
+
+
+ Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[
https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=914076=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914076
]
ASF GitHub Bot logged work on WW-5406:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 04:27
Start Date: 11/Apr/24 04:27
Worklog Time Spent: 10m
Work Description: kusalk merged PR #910:
URL: https://github.com/apache/struts/pull/910
Issue Time Tracking
---
Worklog Id: (was: 914076)
Time Spent: 2h 20m (was: 2h 10m)
> Action excluded patterns are not updated following a configuration reload
> -
>
> Key: WW-5406
> URL: https://issues.apache.org/jira/browse/WW-5406
> Project: Struts 2
> Issue Type: Bug
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> If {{struts.action.excludePattern}} or
> {{struts.action.excludePattern.separator}} are updated during runtime, the
> changes are not reflected in the application behaviour due to these constants
> only being read exactly once. This is not consistent with all other
> configuration which is re-injected following a configuration reload.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914061=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914061
]
ASF GitHub Bot logged work on WW-5409:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 02:47
Start Date: 11/Apr/24 02:47
Worklog Time Spent: 10m
Work Description: jefferyxhy opened a new pull request, #914:
URL: https://github.com/apache/struts/pull/914
WW-5409
**Reason**
Extending packages is a very useful capability of Struts but there are some
quirks, that if a developer is not aware of, can lead to critical
vulnerabilities. One such misunderstood quirk is the default-interceptor-ref
element.
e.g. a parent package add permission interceptor for its action (say
**Action A**), while child package extends parent package will inherit its
actions but not interceptor. So if the develop is not aware of this, then
Action A is now exposed with permission vuln through child package's namespace.
**Changes/ Solution**
introduce new `final` attribute on `package` element which will make it is
unextendable
**Result & Impact**
* By default, package `final` attribute is implied as `false`, so no
difference.
* Set package `final` attribute explicitly as `true`, will make this package
unextendable, so any extends to this package will cause a
ConfigurationException to be thrown during application struts config xml load
step.
Issue Time Tracking
---
Worklog Id: (was: 914061)
Remaining Estimate: 0h
Time Spent: 10m
> Introduce final attribute to package elements which makes them unextendable
> ---
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
>
>
>
>
>
> {code}
> If it is extended by another package like so:
> {code:xml}
>
>
>
>
>
> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
>
>
>
>
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[
https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914052=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914052
]
ASF GitHub Bot logged work on WW-5408:
--
Author: ASF GitHub Bot
Created on: 11/Apr/24 00:33
Start Date: 11/Apr/24 00:33
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #912:
URL: https://github.com/apache/struts/pull/912#discussion_r1560203638
##
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java:
##
@@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration
buildRuntimeConfiguration() throws C
boolean appendNamedParameters = Boolean.parseBoolean(
container.getInstance(String.class,
StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS)
);
+boolean fallbackToEmptyNamespace = Boolean.parseBoolean(
+Optional.ofNullable(container.getInstance(String.class,
StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true")
Review Comment:
@jefferyxhy and I just discussed this one and one of the drawbacks of
putting it in `default.properties` is that it isn't read by unit tests and
causes a bunch of test failures, as the unit tests will default to `false`. To
get around this we could additionally add the constant to
`StrutsDefaultConfigurationProvider` as well as `default.properties`.
I'm personally not too fussed. In the past I've deliberately made constants
default to false to try sidestep this issue. Let us know know what you would
prefer
Issue Time Tracking
---
Worklog Id: (was: 914052)
Time Spent: 1h 10m (was: 1h)
> Add option to NOT fallback to empty namespace when unresolved
> -
>
> Key: WW-5408
> URL: https://issues.apache.org/jira/browse/WW-5408
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
>Reporter: Kusal Kithul-Godage
>Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Currently, when a namespace cannot be resolved from a request URL, it falls
> back to the empty namespace.
> This effectively allows all Actions which are defined for the empty namespace
> to be accessed from an infinite number of endpoints.
> For example, you may have an Action defined in the empty namespace, intended
> for access at:
> {{www.domain.com/login.action}}
> However, due to the current fallback behaviour, this Action can actually be
> accessed at any non-resolving namespace, eg.:
> {{www.domain.com/what/about/this/login.action}}
> This behaviour is not usually beneficial and could lead to bugs if a
> developer only expects their Action to be accessible at a very specific URL.
> Many developers may not be aware of these Action resolving quirks of Struts.
> As far as I can tell, there is not currently an option to prevent this
> behaviour, so I propose we add one.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914041=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914041 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Apr/24 22:45 Start Date: 10/Apr/24 22:45 Worklog Time Spent: 10m Work Description: eschulma opened a new pull request, #913: URL: https://github.com/apache/struts/pull/913 Previously, it was impossible to set global options for the CSP interceptor. The only option was to have every action individually implement CspSettingsAware. To fix this, we add an interceptor parameter of defaultCspSettingsClassName. Values from this class will be used in the CSP header instead of DefaultCspSettings. Users may define their own custom class which implements CspSettings, and that will be the default for all actions that do not implement the CspSettingsAware interface. It is now possible to create this custom class by simply extending DefaultCspSettings. I have fixed a spelling error in DefaultCspSettings.java Issue Time Tracking --- Worklog Id: (was: 914041) Remaining Estimate: 0h Time Spent: 10m > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
