The Xwork issue is this one :
http://jira.opensymphony.com/browse/XW-649
They have not fixed it yet ...
Can someone fix it with the changes described below on the method
private static void parseValidators() { ...}
of the class com.opensymphony.xwork2.validator.ValidatorFactory ?
And then recompiled the source and send me the newly compiled xwork-2.0.4.jar ?
By the way, I saw that they turned it into an interface in the latest version :
http://svn.opensymphony.com/svn/xwork/trunk/src/java/com/opensymphony/xwork2/validator/ValidatorFactory.java
Thanks for your help.
--- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote:
From: Musachy Barroso <[EMAIL PROTECTED]>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is
not "file")
To: "Struts Users Mailing List" <user@struts.apache.org>, [EMAIL PROTECTED]
Date: Thursday, September 11, 2008, 7:54 AM
A fix in the code I meant: https://issues.apache.org/struts/browse/WW-2653 .
Grabbing the latest xwork from trunk or release branch and building it, should
fix your problem.
On Thu, Sep 11, 2008 at 10:49 AM, Bobby Mitch <[EMAIL PROTECTED]> wrote:
What exactly is the fix for this problem then ?
Thanks
--- On Thu, 9/11/08, Musachy Barroso <[EMAIL PROTECTED]> wrote:
From: Musachy Barroso <[EMAIL PROTECTED]>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is
not "file")
To: "Struts Users Mailing List" <user@struts.apache.org>
Date: Thursday, September 11, 2008, 6:03 AM
The fix in this case is known.
musachy
On Wed, Sep 10, 2008 at 9:30 PM, Struts Two <[EMAIL PROTECTED]> wrote:
> Do not give up, the game is not still over ..... (you can still do sth
> about it)
>
> As an alternative, you can import the source code of xwork into ur
> workspace and remove xwork the jar file, run your code in debug mode, find
> the culprit, fix it. Then you can replace the class file in xwork jar file
> with the one fixed. That is what I usually do on the last resort, and it
is
> garuanteed to work.
>
>
>
> ----- Original Message ----
> From: Bobby Mitch <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <user@struts.apache.org>
> Sent: Wednesday, September 10, 2008 5:01:14 PM
> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI
scheme
> is not "file")
>
> Thanks.
> Applying the workaround with Struts 2.0.11.1 and XWorks 2.0..4, and
> modifying struts.xml by adding the interceptor-ref tag does not work:
>
> 22:58:02,671 ERROR [[default]] Servlet.service() for servlet default threw
> exception
> java.lang.IllegalArgumentException: URI scheme is not "file"
> at java.io.File.<init>(Unknown Source)
> at
>
com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314)
> at
>
com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224)
> at
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575)
> at
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149)
> at
>
com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113)
> at
>
com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100)
> at
>
com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142)
> at
>
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148)
> at
>
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48)
> at
>
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)
> at
>
com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)
> at
>
com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223)
> at
>
com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)
> at
>
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)
>
>
> I guess it is game over until a new working release comes out ....
>
>
> --- On Wed, 9/10/08, Struts Two <[EMAIL PROTECTED]> wrote:
> From: Struts Two <[EMAIL PROTECTED]>
> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI
scheme
> is not "file")
> To: "Struts Users Mailing List" <user@struts.apache.org>
> Date: Wednesday, September 10, 2008, 9:09 AM
>
> I believe the issue should be fixed on 2.1.2 (for Websphere at least), but
> it
> still remains an issue for Struts 2.0.11.2 (for Websphere users). See the
> email
> below:
>
> ----- Original Message ----
> From: Rene Gielen <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <user@struts.apache.org>
> Sent: Wednesday, July 16, 2008 2:40:38 AM
> Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important
> Security Fix
> Apache Struts 2.0..11.2 is now available from
> <http://struts.apache.org/download.cgi#struts20112>.
> This release is a fast track security fix release, including a security
> fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
> ParametersInterceptor allowing malicious users to remotely change server
> side context objects. For more information about the exploit, visit our
> security bulletins page at
> <http://struts.apache.org/2.0.11.2/docs/s2-003.html>.
> IMPORTANT ADDITIONAL NOTES:
> There are two known issues with this release:
> 1. the integrated XWork 2.0.5 jar may cause problems when used in a
> combination of WebSphere 6.1 runtime environments with validation
> configuration via XML files.
> Possible Workarounds:
> - use annotation based validation definition instead XML based
> - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
> following exclude rule to your parameter interceptor refs in
> struts.xml
> <interceptor-ref name="params">
> <param
>
name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> </interceptor-ref>
> 2. the filtering mechanism implemeted in XWork's ParametersInterceptor
> to fix the described security issue does not completely avoid any
> possible malicious parameter name.
> Possible Workaround:
> - apply the following exclude rule to your parameter interceptor refs in
> struts.xml to avoid the usage of backslash characters in parameter
> names
> <interceptor-ref name="params">
> <param
> name="excludeParams">.*\\.*</param>
> </interceptor-ref>
> Both issues will be addressed in a soon upcoming XWork 2..0.6 release,
> followed by a new Struts 2.0 GA release including this new XWork version.
> * All developers are advised to either update Struts 2 applications to
> Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the
> fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.
> For the complete release notes for Struts 2.0.11.2, see
> <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.
>
> - The Apache Struts Team.
>
>
> __________________________________________________________________
> Connect with friends from any web browser - no download required. Try the
> new
> Yahoo! Canada Messenger for the Web BETA at
> http://ca.messenger.yahoo.com/webmessengerpromo.php
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> __________________________________________________________________
> Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your
> favourite sites. Download it now at
> http://ca.toolbar.yahoo.com..
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
--
"Hey you! Would you help me to carry the stone?" Pink Floyd
