I tried this too, and I can confirm that it does actually shut down the
server. The return value of the method that the property tag references is
evaluated for some reason, which makes the application vulnerable to OGNL
injection attacks... this is a huge security problem.
On 7/16/07, Aram
I have website that uses Struts 2.0 with AJAX tags..the website is
displaying/working fine in Mozilla Firefox but when i tried to view it in
Internet Explorer it displays a blank page..I dont know how to solve it..I
need to make my application browser independent..is there difference in
coding
Tried this in a webwork app which is internal and it has the same problem. Shut
down the server.
David Sullivan - [EMAIL PROTECTED]
Senior Java Developer
ITSA - Insolvency and Trustee Services Australia
(w) 6270 3436
(m) 0402 309 488
-Original Message-
From: Toni Lyytikäinen
2007/7/16, Arunkumar Balasubramanian [EMAIL PROTECTED]:
Hi
Is it possible to have resuable html:form property=effemonthMM which
needs the struts form to store it's value? If there is a way to do this, it
will be really helpful in my project.
What do you exactly mean with reusable?
If you
If your application is displaying user input without checking for
malicious code, you have a problem whether Struts 2 evaluations ognl
expressions or not.This is how the majority of Cross-Site
Scripting (XSS) [1] attacks work, tricking the user into visiting a
page that the attacker has
2007/7/15, Prashant Desai [EMAIL PROTECTED]:
isn't there a simple menu that was present in struts 1.0 ?
Present, no, and it was never present in Struts 1.x (except of Tiles menu's
[in 1.1 version], but I don't think it is what you want).
You may want to take a look to struts-menu at
Is there a policy or person in the struts2, webwork or apache team with
a PR role that's going to announce the vulnerability?
I'm obliged to keep my clients informed and I'd rather point them to a
factual article announced by the community than to a misinformed post
that will undoubtedly soon
look here
http://struts.apache.org/2.0.8/docs/property.html
http://struts.apache.org/2.0.8/docs/text.html
http://struts.apache.org/2.0.8/docs/if.html
and in pages of other tags
there you can find a column Evaluated
and everywhere it has value true
I guess that means that values are being
if you are not using dyna action forms, you can overwrite the method
validate in the ActioForm bean. Or even extend this dyna validation
action form and implemente your own validate like:
[...]
public ActionErrors validate(ActionMapping mapping, HttpServletRequest
request) {
sorry, the code would be like:
ActionErrors errors = new ActionErrors();
errors.add(super.validate(mapping, request));
don't forget to add the errors from the commons validator.
El lun, 16-07-2007 a las 10:05 +0200, Jorge Martín Cuervo escribió:
if you are not using dyna action forms, you
Should someone create a ticket in jira?
I guess it is really a huge problem.
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
2007/7/16, Aram Mkhitaryan [EMAIL PROTECTED]:
Should someone create a ticket in jira?
Yep.
https://issues.apache.org/struts/browse/WW-2030
Antonio
It's already known and a patch already exists.
https://issues.apache.org/struts/browse/WW-2030
Don't know when a patched version will be released.
Il giorno 16/lug/07, alle ore 10:29, Aram Mkhitaryan ha scritto:
Should someone create a ticket in jira?
I guess it is really a huge problem.
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
It's already known and a patch already exists.
Well, in fact the patch does not prevent execution of OGNL commands, but
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the
Sorry guys for spamming, but it is not clear what the patch exactly
resolves.
disallow entering possible malicious code, i.e. expression like %{xxx} is
illegal: instead it should be evaluated as the string %{xxx}.
what means the first is illegal, but should be evaluated as the string
could you
The patch works the only problem is if you need to accept %{xxx} as
legal input from your users.
To apply the patch you need to download xwork sources, apply the
patch (with the patch command or manually if you don't have it since
there are few lines of code) and insert a couple of lines
HI,
I am new to the World of Struts..i got an querie can any one help
regarding this..
My question is Form validations using struts is not working with
Mozilla, but working fine with IE..
I am sending my code also..wht's wrong with my i don't know?
Thanks in
Hi!
I'm using Tomcat 5.5.23, and Ant 1.7.0 to deploy, start, stop and
undeploy the S2 application.
From the console, it seems that the application was stopped and
undeployed successfully.
Looking at the webapps directory, everything has been deleted except
the S2's JARs in Tomcat
2007/7/16, hezjing [EMAIL PROTECTED]:
Well, I'm not sure if this is the Tomcat's problem.
Usually this happens under Windows, when a JAR is opened (for example, to
read a file) and it is never closed when finished (it will be closed by the
garbage collector, but it could pass AFTER the
Actually that patch is not a solution, definitely.
The solution could be:
disable evaluation by default,
add a hint to enable evaluation.
for example
old---s:property value=%{amount} /
solution--- s:property value=eval/%{amount}
i suggest this solution since
s:property value=%{amount}
2007/7/16, Aram Mkhitaryan [EMAIL PROTECTED]:
i suggest this solution since
s:property value=%{amount} /
and
s:property value=amount /
should output the same. am I wrong?
Definitely yes, I suggest you to learn the basics of OGNL :-)
And anyway, in JSP pages OGNL is ok: it is when user's
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the text will not be evaluated?
Best,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Take a look at the jira issue, it's something I suggested too. We
should disable by default evaluation of expressions when they are an
input from the user (i.e. parameters to an action) and enable by
default expression when specified as parameters to tags.
Il giorno 16/lug/07, alle ore
The parameter is removed so it's like your input an empty string.
Il giorno 16/lug/07, alle ore 11:36, Aram Mkhitaryan ha scritto:
Thanks for the response,
so if I type in my text input %{..System.exit(0);} it will not shut my
server down,
but what will happen?
will I get errors or just the
Yes, I'm having this problem almost every time I undeploy the
application on Windows XP.
The S2 application is using Spring, Hibernate, MySQL and etc.
May I know what are you expecting in the test environment? Simply a
WAR file to simulate the problem? with database schema and etc?
:-)
On
So the patch disables only evaluation of user submitted text,
but if I write expression in tags, that will work fine as before?
If this is true,
I think this is a good solution.
Sorry that I'm asking the same again, but this is the fastest way to know
the truth
so currently (without patches),
2007/7/16, hezjing [EMAIL PROTECTED]:
May I know what are you expecting in the test environment? Simply a
WAR file to simulate the problem? with database schema and etc?
Yes, a very simple WAR file, preferably without database. And don't forget
the instructions to replicate the problem :-)
Sorry that I'm asking the same again, but this is the fastest way
to know
the truth
so currently (without patches),
s:property value=propName / just prints the propName
property, but
s:property value=%{propName} / evaluates the expression in %{}
and if
propName=amout, it prints the
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
so currently (without patches),
s:property value=propName / just prints the propName
property, but
s:property value=%{propName} / evaluates the expression in %{}
and if
propName=amout, it prints the amout property?
No, s:property
I think we both have to find out,
even better, to test which form works and does what ...
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
I don't know why your validation doesn't work in
Mozilla but does in IE, but I wanted to thank you for
making my job seem better.
--- bhba [EMAIL PROTECTED] wrote:
function validate() {
var email = document.all.email.value;
if (!isValidEmail(email)) {
alert(Please enter a valid email
Hi. I setup Struts 2 on my computer and tried to run the HelloWorld example,
but am running into the same problem mentioned at the beginning of this
chain. Was the problem resolved? Any help would be greatly appreciated. I am
stuck.
- Boris
--
View this message in context:
2007/7/16, Ing. Andrea Vettori [EMAIL PROTECTED]:
No, s:property value=%{propName}/ should be equivalent to
s:property value=propName/.
If it is true, then if you have a field named password and the user
types password then it is evaluated as %{password}, so you have an
infinite loop.
Andrea,
I'm glad to see so many people joining the discussion, but let's
please take this to the dev list. There are a lot of Struts
committers and contributors that don't read this user list. So
please, no more messages on this thread for this list.
Don
On 7/16/07, Don Brown [EMAIL PROTECTED] wrote:
Hi,
I think so too. But i've observed that the class called is correctly in the
Jar and his path in ApplicationContext.xml is right. I really don't know
what is the problem.. It's necessary to configure Tomcat 6 too ? Musachy
Barroso in his article doesn't say nothing about it..
Thank you
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25 Lvovyan, Yerevan 375000, Armenia
Mobile: +374 91 518456
E-mail: [EMAIL PROTECTED]
Hi,
I need to create a really fancy GUI, so I've been thinking about
integrating struts with a Rich Internet Application framework (RIA)
Is there a recomendation about which RIA is a good option to be used in
conjuction with Struts?
Or
Is there a good view layer technology that
I have replied in dev@ so please post over there. Thanks,
Don
On 7/16/07, Aram Mkhitaryan [EMAIL PROTECTED] wrote:
Don, could you please send the subject to continue the discussion in?
Should we use [EMAIL PROTECTED]
Thanks,
Aram
Aram Mkhitaryan
52, 25
https://issues.apache.org/struts/browse/WW-2030
musachy
On 7/16/07, Aram Mkhitaryan [EMAIL PROTECTED] wrote:
look here
http://struts.apache.org/2.0.8/docs/property.html
http://struts.apache.org/2.0.8/docs/text.html
http://struts.apache.org/2.0.8/docs/if.html
and in pages of other tags
there
This sample is completely different from any others, and this looks very
simple and easy.
I can imagine that the development and support based on this practice is
very easy and practical.
HiDe
--
View this message in context:
Then use HTML and the property tag to obtain value from the action or
value stack. Its only the form tags that use themes/freemarker templating.
/Ian
Néstor Boscán wrote:
That's correct, but in this project I have to work with OGNL and the Struts
2 Tags.
Regards,
Néstor Boscán
The solution to this seems to be removing the xercesImpl.jar and
xml-apis.jar from common/endorsed folder of tomcat. Probably not much
chance of my web host doing this for me in a shared environment so i
guess I'm out of luck.
On 7/15/07, Phillip Blevins [EMAIL PROTECTED] wrote:
I'm using the
Yes Thanks, that's something I can do but what about the JavaScript code for
the Client-Side Validation?.
Regards,
Néstor Boscán
-Mensaje original-
De: Ian Roughley [mailto:[EMAIL PROTECTED]
Enviado el: Lunes, 16 de Julio de 2007 11:51 a.m.
Para: Struts Users Mailing List
Asunto: Re:
Hi all,
I am tring to integrate Struts 2 HelloWorld into my project, but there came
the error message:
There is no Action mapped for action name HelloWorld. - [unknown
location], I think it is configuration problem, but do not know how to fix
it.
My project war structure like these:
This is a followup to an earlier message about a bug causing an infinite
redirect in my Struts application. We integrate with Spring via
action-servlet.xml.
The following is the content of my index.jsp page (the only JSP not
behind WEB-INF):
You have to pick your poison. You use the tags with their advantages
and disadvantages, or you implement what you need (client side
validation) manually.
/Ian
Néstor Boscán wrote:
Yes Thanks, that's something I can do but what about the JavaScript code for
the Client-Side Validation?.
Hi,
struts.xml should be inside the classes dir in the WEB-INF folder,
Thanks,
Nuwan
- Original Message -
From: lupus [EMAIL PROTECTED]
To: user@struts.apache.org
Sent: Monday, July 16, 2007 5:23 PM
Subject: Help!_no Action mapped for action name HelloWorld
Hi all,
I am tring
The Struts 1 tags took a nice middle ground. They had the advantages
(auto property management and validation) without all the mentioned
disadvantages (slow rendering and loss of visual control). Any chance
we could see something along this vein in Struts 2?
(*Chris*)
On 7/16/07, Ian Roughley
Can someone explain to me how the bean tag in the struts.xml file works? I
have read the docs at the following URL:
http://struts.apache.org/2.0.8/docs/bean-configuration.html
The part I'm confused on is how beans defined with the bean tag are used
by the Struts 2 framework. Are these beans
I got two action classes, A and B.
A has a bunch of getters and B has corresponding setters.
In order to get the value from A into B, does that value need to
appear in the JSP? e.g. s:hidden name=variable1 /?
I know I can get it to work by passing the values through the JSP (and
calling B from
Thanks.
I did get the same error with Struts 2.0.6 and Junit 4.0. After adding the
statement of ObjectFactory in setUpBeforeClass, it works.
Daniel H.
Ben Morgan wrote:
k hall wrote:
I really like Struts 2 but has anyone had any success in testing Struts
2's action validation logic?
Ha, ha, thanks
-Mensaje original-
De: Ian Roughley [mailto:[EMAIL PROTECTED]
Enviado el: Lunes, 16 de Julio de 2007 01:29 p.m.
Para: Struts Users Mailing List
Asunto: Re: Struts 2 Theme that doesn't generate extra HTML
You have to pick your poison. You use the tags with their
Thank you Antonio,
yeah, I was referring to tiles-menu, which I had used in 1.0 few years back -
but it seems you have some reason to not advise that tiles-menu be used ?
I need to implement a good menu in my website.. Last week i tried to implement
the menu that is given at the site
This is effectively possible 'out of the box' in S2. Just use the
'method' attribute on a s:submit tag, for example, to control dispatch.
L.
Boon Leng wrote:
Hi,
What I want to achieve is to migrate EventDispatchAction, which means the
methods will be called base on event, not base on
Your page uses custom Javascript for form validation, not the Struts
validation framework, so it doesn't appear that the problem is Struts
related.
L
bhba wrote:
HI,
I am new to the World of Struts..i got an querie can any one help
regarding this..
My question is Form
Sorry I didn't get back to you today. My cpu fan died over the weekend.
Lol, help finally arrived and I'm back in business. I'm out of the
office tomorrow, so I'll try you Wednesday.
-Original Message-
From: Ferguson, Jason M TSgt 375 CSPTS/SCE
[mailto:[EMAIL PROTECTED]
Sent: Monday,
I always try to use JSTL and JSP-EL when I can, but there used to be bugs in
the process of getting the JSTL tags to work with the value stack. Are those
problems fixed in 2.0.8?.
Then there is the question of Ajax in S2. Completely abandoning the S2 tags
will require using Ajax from an
Hi
Thanks for your response.
Let me elaborate my question in detail. I am working on creating a tile page
which has reusable calendar icon. The calender icon on pageone.jsp is
a href=javascript:newWindow_sepatate_fields(document.editAddress.monthMM,
document.editAddress.dateDD,
Hi
I am using struts 1.3.8. I want to create resource bundle properties files for
every JSP page, how that needs to be confirured in struts-config.xml since as i
know there would be only one ApplicationResources. properties file all the jsp
pages for every language..Can we create more than
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Need a vacation? Get great deals to amazing places on Yahoo! Travel.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Expecting? Get great news right away with email Auto-Check.
Try the Yahoo! Mail Beta.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Need a vacation? Get great deals to amazing places on Yahoo! Travel.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Food fight? Enjoy some healthy debate
in the Yahoo! Answers Food Drink QA.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel
and lay it on us.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Need a vacation? Get great deals to amazing places on Yahoo! Travel.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Moody friends. Drama queens. Your life? Nope! - their life, your story.
Play Sims Stories at Yahoo! Games.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
please unsubscribe my id from this user mail group.
i had tried lot but its not working.
-
Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.
Please unsubscribe me from this list. Please...
---
Bala (Cell 408-712-2143)
IT Operations Support
---
Please unsubscribe me from this list. Please...
---
Bala (Cell 408-712-2143)
IT Operations Support
---
Please unsubscribe me from this list. Please...
---
Bala (Cell 408-712-2143)
IT Operations Support
---
Hell All,
I tried a lot but I can't unsubscribe from this list. Can somebody do this
for me.
Thanks in advance.
Hafeez
76 matches
Mail list logo