On 04/25/2014 10:23 AM, Lukasz Lenart wrote:
You can create one abstract package and all other packages can inherit
from it - the same as you inherit from "tiles-default"
So, another way to do the change would be:
<package name="top" extends="tiles-default">
..... //Coding for [1]
</package>
<package name="p1" namespace="/n1" extends="top">
......
<package name="pN" namespace="/nN" extends="top">
Is it correct?
Or, if I keep "extends=tiles-default", by adding "interceptors(coding for [1])"
to p1...pN as shown below will do the job, right?
Thanks a lot!
Hello List,
Need your confirmation for [1] mitigation. For example, package: p1, p2...
pN, for each package, I should do the following, right?
Do I miss anything or is there a way that can patch one place and cover all
packages instead of doing p1... PN?
(a) struts1.xml
<package name="p1" namespace="/n1" extends="tiles-default">
<result-types>
<result-type name="tiles"
class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<interceptors>
<interceptor-stack name="secureDefaultStack">
<interceptor-ref name="defaultStack">
<param
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="secureDefaultStack" />
<action name= ....>
......
</package>
......
......
(N) strutsN.xml
<package name="pN" namespace="/nN" extends="tiles-default">
<result-types>
<result-type name="tiles"
class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<interceptors>
<interceptor-stack name="secureDefaultStack">
<interceptor-ref name="defaultStack">
<param
name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="secureDefaultStack" />
<action name= ....>
......
</package>
On 04/24/2014 02:39 PM, Rene Gielen wrote:
Yes.
Am 24.04.14 19:37, schrieb em...@cse.concordia.ca:
Hello List,
I am using tiles-default:
<struts>
<package name="Example" namespace="/Action/Example"
extends="tiles-default">
<result-types>
<result-type name="tiles"
class="org.apache.struts2.views.tiles.TilesResult" />
</result-types>
<action name="*ProcessExampleAction" method="{1}"
class="ExampleAction">
<result name="success" type="tiles">success_gui</result>
<result name="ajax_check">
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
</result>
</action>
Do I need this update below as well? Thank you!
On 04/24/2014 11:32 AM, Rene Gielen wrote:
In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.
A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.
Once the release is available, all Struts 2 users are strongly
recommended to update their installations.
* Until the release is available, all Struts 2 users are strongly
recommended to apply the mitigation described [1] *
Please follow the Apache Struts announcement channels [2][3][4][5] to
stay updated regarding the upcoming security release. Most likely the
release will be available within the next 72 hours. Please prepare for
upgrading all Struts 2 based production systems to the new release
version once available.
- The Apache Struts Team.
[1] http://struts.apache.org/announce.html#a20140424
[2] http://struts.apache.org/mail.html
[3] http://struts.apache.org/announce.html
[4] https://plus.google.com/+ApacheStruts/posts
[5] https://twitter.com/TheApacheStruts
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org