Re: [TEST] Apache Struts 6.8.0 test build is ready

Thanks :) > On 23 Sep 2025, at 14:56, Lukasz Lenart wrote: > > czw., 18 wrz 2025 o 10:08 Ing. Andrea Vettori > napisał(a): >> >> Hello, Release notes lists bug WW-5537 >> <https://issues.apache.org/jira/browse/WW-5537> but it is not present on the >

Re: [TEST] Apache Struts 6.8.0 test build is ready

Hello, Release notes lists bug WW-5537 but it is not present on the “changes” GitHub page. I tested it and the problem is still present. Does this mean it has not been fixed ? Thanks > On 15 Sep 2025, at 08:42, Lukasz Lenart wrote: > > Hello, >

Re: STRUTS_EXAMPLES_1_1_0

Hello, I created https://issues.apache.org/jira/browse/WW-5537. Thank you! > On 3 Mar 2025, at 10:47, Lukasz Lenart wrote: > > Andrea, would you mind creating a JIRA ticket targeting Struts 6 and > describing the problem? > > pt., 28 lut 2025 o 21:51 Ing. Andrea vet

Re: STRUTS_EXAMPLES_1_1_0

We have a few web apps on each server (and a few servers) with a load balancer in front of everything. It’s a convenience to be able to hot deploy an app without turning the entire server off. With the amount of classes that leak we get oom on metaspace very frequently. — Ing. Andrea Vettori

Re: STRUTS_EXAMPLES_1_1_0

n reproduce the problem easily. > > The following web applications were stopped (reloaded, undeployed), but their > classes from previous runs are still loaded in memory, thus causing a memory > leak (use a profiler to confirm): > /helloworld > /helloworld > /helloworld > >

Re: STRUTS_EXAMPLES_1_1_0

pplications were stopped (reloaded, undeployed), but their > classes from previous runs are still loaded in memory, thus causing a memory > leak (use a profiler to confirm): > /helloworld > /helloworld > /helloworld > > > On 28/02/2025 14:34, Ing. Andrea Vettori wrote: >>

Re: STRUTS_EXAMPLES_1_1_0

dAction has been compiled by a > more recent version of the Java Runtime (class file version 61.0), this > version of the Java Runtime only recognizes class file versions up to 52.0 > (unable to load class [org.apache.struts.helloworld.action.HelloWorldAction]) > > On 28/02/2025 1

Re: WAR undeploy seems to leave some struts related classes in memory

I tried to use STRUTS_EXAMPLES_1_1_0 and I get two ApplicationContext in memory on jdk17 and tomcat 9.0.100 when doing a redeploy either using manager reload or simply coping the war file. Using tomcat manager I get the following message using the ‘Find Leaks’ button: The following web applicat

Re: WAR undeploy seems to leave some struts related classes in memory

13:16 Ing. Andrea Vettori > napisał(a): >> Hope someone can give me an hint on what to look into. I tried to navigate >> the two objects with the memory analyzer but it’s too difficult to >> understand what’s going on. > > Could you increase log level to DEBUG an

Re: WAR undeploy seems to leave some struts related classes in memory

hot deploy. Hope someone can give me an hint on what to look into. I tried to navigate the two objects with the memory analyzer but it’s too difficult to understand what’s going on. Thanks > On 22 Feb 2025, at 11:38, Ing. Andrea Vettori wrote: > > Hello, > I’m facing an issue that

WAR undeploy seems to leave some struts related classes in memory

Hello, I’m facing an issue that can't fully understand myself. I’m using struts since year 2000 (version 6.7 at the moment) in web apps with a mix of JSP and Freemarker templates. I use Tomcat as servlet container. Recently I found that when an app is hot deployed, I constantly find that some no

Re: Standard Accepted Patterns in DefaultAcceptedPatternsChecker

is a reasonable solution. Does that happen even when you use the ’string’ format i.e. you make it explicit that it’s a string using the quotes ? — Ing. Andrea Vettori Responsabile Sistemi Informativi - To unsubscribe, e-mail:

Re: Standard Accepted Patterns in DefaultAcceptedPatternsChecker

future, I think that allowing all characters that are safe on http post data or urls would be nice (that was the reason we choose to use the minus instead of other characters in our project, because it would work in post and urls). Thanks for the great work with Struts. — Ing. Andrea Vettori Respo

Re: Standard Accepted Patterns in DefaultAcceptedPatternsChecker

} public void setMap(Map map) { this.map = map; } } Thank you — Ing. Andrea Vettori Responsabile Sistemi Informativi > On 25 Jan 2020, at 11:40, Yasser Zamani wrote: > > Hi, > > AFAIK Ognl compiles myMap['myKey'] to the string myMap.myKey so yes I t

Standard Accepted Patterns in DefaultAcceptedPatternsChecker

sign in the key. Is there any security consideration behind this ? Thank you! public static final String[] ACCEPTED_PATTERNS = { "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"

Re: [S2] Can an interceptor save the request to use it later ?

ooops sorry ! Il giorno 27/mag/08, alle ore 08:56, Antonio Petrelli ha scritto: Please ask this question to the Struts Users mailing list: http://struts.apache.org/mail.html Ciao Antonio 2008/5/27 Andrea Vettori <[EMAIL PROTECTED]>: Hi, I have a login interceptor that checks the pr

[S2] Can an interceptor save the request to use it later ?

g the "composed URL method" even if it works, because it has some "hardcoded" values (i.e. the .action suffix) and because it converts all parameters to strings and then back to their original variables type when the URL is used in the redirect. Thanks -- Ing. Andr

Re: [struts-dev] Issue WW-2107 question - Is JSTL disable or not?

truts/sandbox/trunk/struts2-uel-plugin-example/ If you want EL support back, please contribute to this sandboxed plugin. Antonio -- Ing. Andrea Vettori Consulente per l'Information Technology

Re: [struts-dev] Issue WW-2107 question - Is JSTL disable or not?

Il giorno 06/mar/08, alle ore 19:04, Dale Newfield ha scritto: Andrea Vettori wrote: That's true but should't the app do some input checking ? What you're suggesting is that we make this framework vulnerable to poorly written applications? I'd say the framework sh

Re: [struts-dev] Issue WW-2107 question - Is JSTL disable or not?

That's true but should't the app do some input checking ? It's the same as SQL injection... Il giorno 06/mar/08, alle ore 18:37, Dale Newfield ha scritto: Andrea Vettori wrote: can someone explain why it's bad practice to do something like this in a jsp page :

Re: Issue WW-2107 question - Is JSTL disable or not?

truts-dangerous is dangerous. Of course, it is just my opinion. Felipe Rodrigues Andrea Vettori wrote: Hi, can someone explain why it's bad practice to do something like this in a jsp page : The 2 point is the most important, from my view. Use JSP EL in Struts2 tag is not a best p

Re: Issue WW-2107 question - Is JSTL disable or not?

OGNL, othertimes you use JSTL EL. Is 2. really a problem? Sorry, I didn't really understand. The second problem is keep feeding this pratice (use JSTL EL). -- Ing. Andrea Vettori Consulente per l'Information Technology -

Re: JSP EL in struts2 tags

Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto: On 12/3/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: I'm happy to know that a complete solution is being planned/ developed. I just say that if the security problem is caused only by bad programming practice,

Re: JSP EL in struts2 tags

now that a complete solution is being planned/developed. I just say that if the security problem is caused only by bad programming practice, removing EL evaluation into S2 tld is causing upgrading problems to many well-written applications. -- Ing. Andrea Vettori Consulente per l'Informa

Re: JSP EL in struts2 tags

Il giorno 30/nov/07, alle ore 17:22, Brian Pontarelli ha scritto: Andrea Vettori wrote: Already posted on user list but maybe more appropriate here... Hi, It's long time I was away from this list. I've found with big surprise that JSP EL is not available in S2 tags anymore. I&#x

JSP EL in struts2 tags

Already posted on user list but maybe more appropriate here... Hi, It's long time I was away from this list. I've found with big surprise that JSP EL is not available in S2 tags anymore. I've looked at the release notes and found it was because of a security problem similar to one I've discove

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

romised XWork releases in the next few days. Don On 7/17/07, Ing. Andrea Vettori < [EMAIL PROTECTED]> wrote: > > > Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto: > > > 2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>: > >> > >>

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

recursion. Don patch seems to evaluate on many runs from left to right and evaluating all expression at the same level first (don't remember the name for this type of recursion :) Il giorno 16/lug/07, alle ore 16:21, Musachy Barroso ha scritto: I do use it musachy On 7/16/07, Ing.

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

Il giorno 16/lug/07, alle ore 16:46, Antonio Petrelli ha scritto: 2007/7/16, Ing. Andrea Vettori <[EMAIL PROTECTED]>: I suggested the value can be parametrized so if one known he use complex expression can use a higher value. (b) is solved using loopCount=1 by default when dealing wit

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

is "1." or a patch that, as I stated before, removes completely OGNL evaluation of user-entered values? I think that the conversation should follow two different direction: one for the immediate future (to solve the vulnerability) and one for the final decision. Antonio 200

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

now that this type of expressions will not be evaluated after installing the patch. Maybe Don has addressed this kind of expression in his patch... I'll take a look at it later. Il giorno 16/lug/07, alle ore 16:09, Antonio Petrelli ha scritto: 2007/7/16, Ing. Andrea Vettori <[EMAIL PR

Re: Preventing OGNL evaluations of user input (was Re: Struts 2 performance)

t; > > > Thanks, > > > Aram > > > > > > Aram Mkhitaryan > > > > > > 52, 25 Lvovyan, Yerevan 375000, Armenia > > > > > > Mobile: +374 91 518456 > > > E-mail: [EMAIL PROTECTED] > > > > > >

Re: [S2] Heads Up: possible DOS problem

ted. musachy On 7/6/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: Please take a look at the jira issue. I've uploaded a possibile nice solution. I desperately :) need to know if there are some possibile problem to use this on my site until a better solution is found. -- Ing.

Re: [S2] Heads Up: possible DOS problem

Please take a look at the jira issue. I've uploaded a possibile nice solution. I desperately :) need to know if there are some possibile problem to use this on my site until a better solution is found. -- Ing. Andrea Vettori Consulente per l'Information

Re: [S2] Heads Up: possible DOS problem

action by means of a HTTP parameter. In this case the evaluation should be turned off. I am correct ? P.S. Please let me know if i should continue writing the same opinions here AND in the jira issue or it's best to use only one place (and where) . -- Ing. Andrea Vettor

Re: [S2] Heads Up: possible DOS problem

know if this is the cause of my garbage problems! We'll see (very sooner I hope). -- Ing. Andrea Vettori Consulente per l'Information Technology - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional

Re: [S2] Heads Up: possible DOS problem

in acceptableNames() musachy On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: > > The DoS is because you can trigger an infinite loop. > > Please take a look at the jira issue. > > Looks like we need to do different things if the value is specified > in th

Re: [S2] Heads Up: possible DOS problem

iorno 05/lug/07, alle ore 17:47, Bob Lee ha scritto: Possible DoS? Isn't this a remote exploit? Can you call arbitrary methods? Bob On 7/5/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote: some simple testing shows that the field value is simply evaluated... try to put on a struts

Re: [S2] Heads Up: possible DOS problem

g/07, alle ore 14:00, Andrea ha scritto: Antonio Petrelli gmail.com> writes: Hi all, Andrea Vettori, in the Struts Users mailing list, probably discovered a possible Denial-Of-Service bug in Struts 2. The cause could be XWork. Hi, furthermore I'd like to know if there are other &qu