Re: Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread Dave Newton
On Wed, Sep 18, 2013 at 11:09 AM, rgm str...@rgm.nu wrote: http://struts.apache.org/release/2.3.x/docs/s2-017.html Fixing 19 is as simple as disabling dynamic method invocation. I'm unclear on what 18 is; it looks like an extension of 16/17, and as such, I'd do the upgrade--not that it's a

Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread rgm
Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1? Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's available? As a reminder, these issues were fixed in 2.3.15.1, and one was marked highly critical: - CVE 2013-2251 -

Re: validator type=regex : param name is regex , not expression

2013-09-18 Thread Chris
Hello , Do you have any idea since when ( which version ) the word expression is no more avaliable ? In some examples on the Web or in Books, the word used is still expression. Regards Chris

XWork injection intermittently skipped

2013-09-18 Thread Patrick Savage
We are using XWork's @Inject in Struts 2.3.1.2 to inject a DefaultObjectTypeDeterminer into a custom type converter. Since upgrading from Java 1.6.0_33 to 1.7.0_25, this injection does not occur about half the time. The other @Inject we use (injecting a ValidatorFactory into a custom

RE: XWork injection intermittently skipped

2013-09-18 Thread Martin Gainty
From: patrick.sav...@3pillarglobal.com To: user@struts.apache.org Subject: XWork injection intermittently skipped Date: Wed, 18 Sep 2013 16:08:25 -0400 We are using XWork's @Inject in Struts 2.3.1.2 to inject a DefaultObjectTypeDeterminer into a custom type converter. Since upgrading

Re: XWork injection intermittently skipped

2013-09-18 Thread Lukasz Lenart
2013/9/18 Patrick Savage patrick.sav...@3pillarglobal.com: We are using XWork's @Inject in Struts 2.3.1.2 to inject a DefaultObjectTypeDeterminer into a custom type converter. Since upgrading from Java 1.6.0_33 to 1.7.0_25, this injection does not occur about half the time. The other @Inject

Re: Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread Lukasz Lenart
2013/9/18 rgm str...@rgm.nu: Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1? Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's available? S2-018 can be critical, it depends on how your application is structured - but it isn't a Remote Code

Re: validator type=regex : param name is regex , not expression

2013-09-18 Thread Lukasz Lenart
Sometime ago ... with 2.3.12. I have renamed expression to regex as right now you can define regexExpression as Ognl expression - there was name clash without renaming ;-) http://struts.apache.org/development/2.x/docs/version-notes-23120.html 2013/9/18 Chris christal...@yahoo.fr: Hello , Do