Re: validator type="regex" : param name is regex , not expression

2013-09-18 Thread Lukasz Lenart
Sometime ago ... with 2.3.12. I have renamed expression to regex as right now you can define regexExpression as Ognl expression - there was name clash without renaming ;-) http://struts.apache.org/development/2.x/docs/version-notes-23120.html 2013/9/18 Chris : > Hello , > > Do you have any idea s

Re: Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread Lukasz Lenart
2013/9/18 rgm : > Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1? > Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's > available? S2-018 can be critical, it depends on how your application is structured - but it isn't a Remote Code Execution flaw.

Re: XWork injection intermittently skipped

2013-09-18 Thread Lukasz Lenart
2013/9/18 Patrick Savage : > We are using XWork's @Inject in Struts 2.3.1.2 to inject a > DefaultObjectTypeDeterminer into a custom type converter. Since upgrading > from Java 1.6.0_33 to 1.7.0_25, this injection does not occur about half the > time. The other @Inject we use (injecting a ValidatorF

RE: XWork injection intermittently skipped

2013-09-18 Thread Martin Gainty
> From: patrick.sav...@3pillarglobal.com > To: user@struts.apache.org > Subject: XWork injection intermittently skipped > Date: Wed, 18 Sep 2013 16:08:25 -0400 > > We are using XWork's @Inject in Struts 2.3.1.2 to inject a > DefaultObjectTypeDeterminer into a custom type converter. Since upgr

XWork injection intermittently skipped

2013-09-18 Thread Patrick Savage
We are using XWork's @Inject in Struts 2.3.1.2 to inject a DefaultObjectTypeDeterminer into a custom type converter. Since upgrading from Java 1.6.0_33 to 1.7.0_25, this injection does not occur about half the time. The other @Inject we use (injecting a ValidatorFactory into a custom ActionValidato

Re: validator type="regex" : param name is regex , not expression

2013-09-18 Thread Chris
Hello , Do you have any idea since when ( which version ) the word expression is no more avaliable ? In some examples on the Web or in Books, the word used is still "expression". Regards Chris --

Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread rgm
Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1? Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's available? As a reminder, these issues were fixed in 2.3.15.1, and one was marked highly critical: - CVE 2013-2251 - S2-016

Re: Are S2-018 and S2-019 serious / remotely exploitable?

2013-09-18 Thread Dave Newton
On Wed, Sep 18, 2013 at 11:09 AM, rgm wrote: > http://struts.apache.org/release/2.3.x/docs/s2-017.html "Fixing" 19 is as simple as disabling dynamic method invocation. I'm unclear on what 18 is; it looks like an extension of 16/17, and as such, I'd do the upgrade--not that it's a major underta