Security vulnerability process for EOL versions
In cases where the Struts community is notified or discovers a security vulnerability in a supported version, does the evaluation process include identifying unsupported versions that may be impacted as well? I realize the recommendation will likely be to upgrade to a supported version but I just wanted to confirm that even EOL versions are taken into account when identifying potential impacts. Thanks!
Re: No container in actions after upgrading to 2.5.13
That looks more relevant. I’ll look into it some more tomorrow morning. Thanks for your help so far. > On 13 Sep 2017, at 17:04, Yasser Zamaniwrote: > > Maybe you have a similar issue of [1]. > > Say you have X that extends ActionSupport. Please make sure if every X > has been instantiated not manually (e.g. X = new X() inside your java > files). They should be instantiated via Strut's object factory ( e.g. > > [1] > https://issues.apache.org/jira/browse/WW-4813?focusedCommentId=16085291=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16085291 > > On 9/13/2017 7:31 PM, LAW Andy wrote: >> >>> On 13 Sep 2017, at 14:17, Lukasz Lenart wrote: >>> >>> 2017-09-13 11:02 GMT+02:00 LAW Andy : Using version 2.5.13 on Tomcat 8.0.21. I’ve attached it to this message as a text file. >>> >>> How do you fetch action in >>> "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ? >>> Do you construct those actions manually? >>> >>> at >>> my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122) >>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] >>> at my.domain.controller.ActionOption.getAction(ActionOption.java:138) >>> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] >>> >> >> >> >> That function is badly named. It actually should be called getActionName(); >> >> The Action contains one or more ActionOption objects. These are built in the >> constructor. >> >> Later, >> >> Andy >> >> >> -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: No container in actions after upgrading to 2.5.13
Maybe you have a similar issue of [1]. Say you have X that extends ActionSupport. Please make sure if every X has been instantiated not manually (e.g. X = new X() inside your java files). They should be instantiated via Strut's object factory ( e.g. https://issues.apache.org/jira/browse/WW-4813?focusedCommentId=16085291=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16085291 On 9/13/2017 7:31 PM, LAW Andy wrote: > >> On 13 Sep 2017, at 14:17, Lukasz Lenartwrote: >> >> 2017-09-13 11:02 GMT+02:00 LAW Andy : >>> Using version 2.5.13 on Tomcat 8.0.21. >>> >>> I’ve attached it to this message as a text file. >> >> How do you fetch action in >> "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ? >> Do you construct those actions manually? >> >> at >> my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122) >> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] >> at my.domain.controller.ActionOption.getAction(ActionOption.java:138) >> ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] >> > > > > That function is badly named. It actually should be called getActionName(); > > The Action contains one or more ActionOption objects. These are built in the > constructor. > > Later, > > Andy > > >
Re: No container in actions after upgrading to 2.5.13
> On 13 Sep 2017, at 14:17, Lukasz Lenartwrote: > > 2017-09-13 11:02 GMT+02:00 LAW Andy : >> Using version 2.5.13 on Tomcat 8.0.21. >> >> I’ve attached it to this message as a text file. > > How do you fetch action in > "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ? > Do you construct those actions manually? > > at > my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122) > ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] > at my.domain.controller.ActionOption.getAction(ActionOption.java:138) > ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] > That function is badly named. It actually should be called getActionName(); The Action contains one or more ActionOption objects. These are built in the constructor. Later, Andy -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: No container in actions after upgrading to 2.5.13
2017-09-13 11:02 GMT+02:00 LAW Andy: > Using version 2.5.13 on Tomcat 8.0.21. > > I’ve attached it to this message as a text file. How do you fetch action in "my.domain.controller.ActionOption.getAction(ActionOption.java:138)" ? Do you construct those actions manually? at my.domain.controller.ActionOptionBase.getTextFromProperties(ActionOptionBase.java:122) ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] at my.domain.controller.ActionOption.getAction(ActionOption.java:138) ~[mydomain-struts2-controller-4.0-SNAPSHOT.jar:?] Rregards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: No container in actions after upgrading to 2.5.13
Using version 2.5.13 on Tomcat 8.0.21. I’ve attached it to this message as a text file. Later, Andy > On 12 Sep 2017, at 15:56, Yasser Zamaniwrote: > > Each one you're more comfortable or is more important for you. > > On 9/12/2017 7:08 PM, LAW Andy wrote: >> >>> On 12 Sep 2017, at 14:46, Yasser Zamani wrote: >>> >>> Great! they mean devMode works. >>> >>> Could you post your whole stacktrace of exception (including caused >>> bys). If you should not send your internal app related info, delete such >>> lines from stacktrace. I need to know the trace of the Struts itself >>> only. If I know how and where Struts fails, then it'll be helpful a lot. >>> >> >> Do you want 2.5.12 or 2.5.13 ? >> >> Later, >> >> Andy >> >> >> > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > 13-Sep-2017 09:41:50.559 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/8.0.21 13-Sep-2017 09:41:50.560 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Mar 23 2015 14:11:21 UTC 13-Sep-2017 09:41:50.560 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 8.0.21.0 13-Sep-2017 09:41:50.560 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Mac OS X 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 10.11.6 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: x86_64 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/jre 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_144-b01 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /Users/my-username/tomcat/apache-tomcat-8.0.21 13-Sep-2017 09:41:50.561 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /Users/my-username/tomcat/apache-tomcat-8.0.21 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/Users/my-username/tomcat/apache-tomcat-8.0.21/conf/logging.properties 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/Users/my-username/tomcat/apache-tomcat-8.0.21/endorsed 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/Users/my-username/tomcat/apache-tomcat-8.0.21 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/Users/my-username/tomcat/apache-tomcat-8.0.21 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/Users/my-username/tomcat/apache-tomcat-8.0.21/temp 13-Sep-2017 09:41:50.562 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /Users/my-username/Library/Java/Extensions:/Library/Java/Extensions:/Network/Library/Java/Extensions:/System/Library/Java/Extensions:/usr/lib/java:. 13-Sep-2017 09:41:50.877 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8082"] 13-Sep-2017 09:41:50.943 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read 13-Sep-2017 09:41:50.946 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"] 13-Sep-2017 09:41:50.947 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read 13-Sep-2017 09:41:50.947 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1347 ms 13-Sep-2017 09:41:51.024 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina 13-Sep-2017 09:41:51.024 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.21 13-Sep-2017
Re: Error Struts 2.3.33
On 9/12/2017 11:09 PM, Yasser Zamani wrote: > I should correct myself; You can write it in both #session['foo'] or > #session.foo > > So, now you should examine that previousBusinessStateList exists in > session on that action call which return that jsp including s:select tag. > Also I remember similar issue in our APP; This may is belong to timed out expired sessions. > On 9/12/2017 11:02 PM, Yasser Zamani wrote: >> It means you have > but Struts can not find previousBusinessStateList inside value stack. >> >> As I remember you should write it like below instead: >> >> #session['previousBusinessStateList'] >> >> On 9/12/2017 8:57 PM, Deborah White wrote: >>> Can someone take a look at this and tell me what exactly it means and >>> possibly how to resolve? My log file fills up with these. >>> 12:43:57,952 ERROR >>> [org.apache.struts2.dispatcher.DefaultDispatcherErrorHandler] >>> (ajp-jbappprd4/172.26.11.62:8409-4) Exception occurred during >>> processing request: tag 'select', field 'list', name >>> 'renewSectionOneData.previousBusinessState': The requested list key >>> '#session.previousBusinessStateList' could not be resolved as a >>> collection/array/map/enumeration/iterator type. Example: people or >>> people.{name} - [unknown location]: >>> org.apache.jasper.JasperException: tag 'select', field 'list', name >>> 'renewSectionOneData.previousBusinessState': The requested list key >>> '#session.previousBusinessStateList' could not be resolved as a >>> collection/array/map/enumeration/iterator type. Example: people or >>> people.{name} - [unknown location] >>> >>> >>> CONFIDENTIALITY NOTICE: This communication with its contents may >>> contain confidential and/or legally privileged information. It is >>> solely for the use of the intended recipient(s). Unauthorized >>> interception, review, use or disclosure is prohibited and may violate >>> applicable laws including the Electronic Communications Privacy Act. >>> If you are not the intended recipient, please contact the sender and >>> destroy all copies of the communication. >>> >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.3.16 to 2.3.33
2017-09-12 19:22 GMT+02:00 Deborah White: > Do you know why I am seeing this since migrating? > > Unable to find 'struts.multipart.saveDir' property setting. Defaulting to > javax.servlet.context.tempdir It just an INFO and it was there for a long time - basically nothing to worry about > I have a struts.properties file, do I need to add something? See docs https://struts.apache.org/docs/handling-file-uploads.html Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org