Security vulnerability process for EOL versions

2017-09-13 Thread Lehmer, Jason 
In cases where the Struts community is notified or discovers a security 
vulnerability in a supported version, does the evaluation process include 
identifying unsupported versions that may be impacted as well? I realize the 
recommendation will likely be to upgrade to a supported version but I just 
wanted to confirm that even EOL versions are taken into account when 
identifying potential impacts.

Thanks!

Re: No container in actions after upgrading to 2.5.13

2017-09-13 Thread LAW Andy 
That looks more relevant. I’ll look into it some more tomorrow morning.

Thanks for your help so far.


> On 13 Sep 2017, at 17:04, Yasser Zamani  wrote:
> 
> Maybe you have a similar issue of [1].
> 
> Say you have X that extends ActionSupport. Please make sure if every X 
> has been instantiated not manually (e.g. X = new X() inside your java 
> files). They should be instantiated via Strut's object factory ( e.g. 
>  
> [1] 
> https://issues.apache.org/jira/browse/WW-4813?focusedCommentId=16085291=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16085291
> 
> On 9/13/2017 7:31 PM, LAW Andy wrote:
>> 
>>> On 13 Sep 2017, at 14:17, Lukasz Lenart  wrote:
>>> 
>>> 2017-09-13 11:02 GMT+02:00 LAW Andy :
 Using version 2.5.13 on Tomcat 8.0.21.
 
 I’ve attached it to this message as a text file.
>>> 
>>> How do you fetch action in
>>> "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ?
>>> Do you construct those actions manually?
>>> 
>>> at 
>>> my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122)
>>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
>>> at my.domain.controller.ActionOption.getAction(ActionOption.java:138)
>>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
>>> 
>> 
>> 
>> 
>> That function is badly named. It actually should be called getActionName();
>> 
>> The Action contains one or more ActionOption objects. These are built in the 
>> constructor.
>> 
>> Later,
>> 
>> Andy
>> 
>> 
>> 


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: No container in actions after upgrading to 2.5.13

2017-09-13 Thread Yasser Zamani 
Maybe you have a similar issue of [1].

Say you have X that extends ActionSupport. Please make sure if every X 
has been instantiated not manually (e.g. X = new X() inside your java 
files). They should be instantiated via Strut's object factory ( e.g. 
https://issues.apache.org/jira/browse/WW-4813?focusedCommentId=16085291=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16085291

On 9/13/2017 7:31 PM, LAW Andy wrote:
> 
>> On 13 Sep 2017, at 14:17, Lukasz Lenart  wrote:
>>
>> 2017-09-13 11:02 GMT+02:00 LAW Andy :
>>> Using version 2.5.13 on Tomcat 8.0.21.
>>>
>>> I’ve attached it to this message as a text file.
>>
>> How do you fetch action in
>> "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ?
>> Do you construct those actions manually?
>>
>> at 
>> my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122)
>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
>> at my.domain.controller.ActionOption.getAction(ActionOption.java:138)
>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
>>
> 
> 
> 
> That function is badly named. It actually should be called getActionName();
> 
> The Action contains one or more ActionOption objects. These are built in the 
> constructor.
> 
> Later,
> 
> Andy
> 
>   
>

Re: No container in actions after upgrading to 2.5.13

2017-09-13 Thread LAW Andy 

> On 13 Sep 2017, at 14:17, Lukasz Lenart  wrote:
> 
> 2017-09-13 11:02 GMT+02:00 LAW Andy :
>> Using version 2.5.13 on Tomcat 8.0.21.
>> 
>> I’ve attached it to this message as a text file.
> 
> How do you fetch action in
> "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ?
> Do you construct those actions manually?
> 
> at 
> my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122)
> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
> at my.domain.controller.ActionOption.getAction(ActionOption.java:138)
> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
> 



That function is badly named. It actually should be called getActionName();

The Action contains one or more ActionOption objects. These are built in the 
constructor.

Later,

Andy

 
-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: No container in actions after upgrading to 2.5.13

2017-09-13 Thread Lukasz Lenart 
2017-09-13 11:02 GMT+02:00 LAW Andy :
> Using version 2.5.13 on Tomcat 8.0.21.
>
> I’ve attached it to this message as a text file.

How do you fetch action in
"my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ?
Do you construct those actions manually?

at 
my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122)
~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]
at my.domain.controller.ActionOption.getAction(ActionOption.java:138)
~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?]


Rregards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: No container in actions after upgrading to 2.5.13

2017-09-13 Thread LAW Andy 
Using version 2.5.13 on Tomcat 8.0.21.

I’ve attached it to this message as a text file.

Later,

Andy



> On 12 Sep 2017, at 15:56, Yasser Zamani  wrote:
>
> Each one you're more comfortable or is more important for you.
>
> On 9/12/2017 7:08 PM, LAW Andy wrote:
>>
>>> On 12 Sep 2017, at 14:46, Yasser Zamani  wrote:
>>>
>>> Great! they mean devMode works.
>>>
>>> Could you post your whole stacktrace of exception (including caused
>>> bys). If you should not send your internal app related info, delete such
>>> lines from stacktrace. I need to know the trace of the Struts itself
>>> only. If I know how and where Struts fails, then it'll be helpful a lot.
>>>
>>
>> Do you want 2.5.12 or 2.5.13 ?
>>
>> Later,
>>
>> Andy
>>
>>
>>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>

13-Sep-2017 09:41:50.559 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version:
Apache Tomcat/8.0.21
13-Sep-2017 09:41:50.560 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:  
Mar 23 2015 14:11:21 UTC
13-Sep-2017 09:41:50.560 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server number: 
8.0.21.0
13-Sep-2017 09:41:50.560 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
Mac OS X
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.11.6
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
x86_64
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
/Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
1.8.0_144-b01
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Oracle Corporation
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
/Users/my-username/tomcat/apache-tomcat-8.0.21
13-Sep-2017 09:41:50.561 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
/Users/my-username/tomcat/apache-tomcat-8.0.21
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.config.file=/Users/my-username/tomcat/apache-tomcat-8.0.21/conf/logging.properties
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.endorsed.dirs=/Users/my-username/tomcat/apache-tomcat-8.0.21/endorsed
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.base=/Users/my-username/tomcat/apache-tomcat-8.0.21
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.home=/Users/my-username/tomcat/apache-tomcat-8.0.21
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.io.tmpdir=/Users/my-username/tomcat/apache-tomcat-8.0.21/temp
13-Sep-2017 09:41:50.562 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based 
Apache Tomcat Native library which allows optimal performance in production 
environments was not found on the java.library.path: 
/Users/my-username/Library/Java/Extensions:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:.
13-Sep-2017 09:41:50.877 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["http-nio-8082"]
13-Sep-2017 09:41:50.943 INFO [main] 
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared 
selector for servlet write/read
13-Sep-2017 09:41:50.946 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["ajp-nio-8009"]
13-Sep-2017 09:41:50.947 INFO [main] 
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared 
selector for servlet write/read
13-Sep-2017 09:41:50.947 INFO [main] org.apache.catalina.startup.Catalina.load 
Initialization processed in 1347 ms
13-Sep-2017 09:41:51.024 INFO [main] 
org.apache.catalina.core.StandardService.startInternal Starting service Catalina
13-Sep-2017 09:41:51.024 INFO [main] 
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: 
Apache Tomcat/8.0.21
13-Sep-2017

Re: Error Struts 2.3.33

2017-09-13 Thread Yasser Zamani 


On 9/12/2017 11:09 PM, Yasser Zamani wrote:
> I should correct myself; You can write it in both #session['foo'] or 
> #session.foo
> 
> So, now you should examine that previousBusinessStateList exists in 
> session on that action call which return that jsp including s:select tag.
> 

Also I remember similar issue in our APP; This may is belong to timed 
out expired sessions.

> On 9/12/2017 11:02 PM, Yasser Zamani wrote:
>> It means you have > but Struts can not find previousBusinessStateList inside value stack.
>>
>> As I remember you should write it like below instead:
>>
>> #session['previousBusinessStateList']
>>
>> On 9/12/2017 8:57 PM, Deborah White wrote:
>>> Can someone take a look at this and tell me what exactly it means and 
>>> possibly how to resolve?  My log file fills up with these.
>>> 12:43:57,952 ERROR 
>>> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] 
>>> (ajp-jbappprd4/172.26.11.62:8409-4) Exception occurred during 
>>> processing request: tag 'select', field 'list', name 
>>> 'renewSectionOneData.previousBusinessState': The requested list key 
>>> '#session.previousBusinessStateList' could not be resolved as a 
>>> collection/array/map/enumeration/iterator type. Example: people or 
>>> people.{name} - [unknown location]: 
>>> org.apache.jasper.JasperException: tag 'select', field 'list', name 
>>> 'renewSectionOneData.previousBusinessState': The requested list key 
>>> '#session.previousBusinessStateList' could not be resolved as a 
>>> collection/array/map/enumeration/iterator type. Example: people or 
>>> people.{name} - [unknown location]
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This communication with its contents may 
>>> contain confidential and/or legally privileged information. It is 
>>> solely for the use of the intended recipient(s). Unauthorized 
>>> interception, review, use or disclosure is prohibited and may violate 
>>> applicable laws including the Electronic Communications Privacy Act. 
>>> If you are not the intended recipient, please contact the sender and 
>>> destroy all copies of the communication.
>>>
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
>> For additional commands, e-mail: user-h...@struts.apache.org
>>

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: Struts 2.3.16 to 2.3.33

2017-09-13 Thread Lukasz Lenart 
2017-09-12 19:22 GMT+02:00 Deborah White :
> Do you know why I am seeing this since migrating?
>
> Unable to find 'struts.multipart.saveDir' property setting. Defaulting to 
> javax.servlet.context.tempdir

It just an INFO and it was there for a long time - basically nothing
to worry about

> I have a struts.properties file, do I need to add something?

See docs
https://struts.apache.org/docs/handling-file-uploads.html


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org