You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/05/31 12:41:54 UTC
svn commit: r989636 [1/2] - /websites/production/struts/content/docs/
Author: lukaszlenart
Date: Tue May 31 12:41:53 2016
New Revision: 989636
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-033.html
websites/production/struts/content/docs/s2-034.html
Modified:
websites/production/struts/content/docs/actionmapper.html
websites/production/struts/content/docs/div.html
websites/production/struts/content/docs/email-validator.html
websites/production/struts/content/docs/file-upload.html
websites/production/struts/content/docs/form-tags.html
websites/production/struts/content/docs/freemarker.html
websites/production/struts/content/docs/interceptors.html
websites/production/struts/content/docs/localization.html
websites/production/struts/content/docs/result-configuration.html
websites/production/struts/content/docs/s2-027.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/security.html
websites/production/struts/content/docs/struts-defaultxml.html
websites/production/struts/content/docs/type-conversion.html
websites/production/struts/content/docs/validation.html
websites/production/struts/content/docs/version-notes-25.html
websites/production/struts/content/docs/xhtml-theme.html
Modified: websites/production/struts/content/docs/actionmapper.html
==============================================================================
--- websites/production/struts/content/docs/actionmapper.html (original)
+++ websites/production/struts/content/docs/actionmapper.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884194236 {padding: 0px;}
-div.rbtoc1453884194236 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884194236 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698209808 {padding: 0px;}
+div.rbtoc1464698209808 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698209808 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884194236">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698209808">
<ul class="toc-indentation"><li><a shape="rect" href="#ActionMapper-Description">Description</a></li><li><a shape="rect" href="#ActionMapper-DefaultActionMapper">DefaultActionMapper</a>
<ul class="toc-indentation"><li><a shape="rect" href="#ActionMapper-Methodprefix">Method prefix</a></li><li><a shape="rect" href="#ActionMapper-Actionprefix">Action prefix</a></li></ul>
</li><li><a shape="rect" href="#ActionMapper-CustomActionMapper">Custom ActionMapper</a></li><li><a shape="rect" href="#ActionMapper-CompositeActionMapper">CompositeActionMapper</a></li><li><a shape="rect" href="#ActionMapper-PrefixBasedActionMapper">PrefixBasedActionMapper</a></li><li><a shape="rect" href="#ActionMapper-ActionMapperandActionMappingobjects">ActionMapper and ActionMapping objects</a>
Modified: websites/production/struts/content/docs/div.html
==============================================================================
--- websites/production/struts/content/docs/div.html (original)
+++ websites/production/struts/content/docs/div.html Tue May 31 12:41:53 2016
@@ -140,7 +140,7 @@ under the License.
<div class="wiki-content">
<div id="ConfluenceContent"><h2 id="div-Description">Description</h2>
-<p>Creates an HTML <div></p>
+<div class="error"><span class="error">Error formatting macro: snippet: java.lang.IndexOutOfBoundsException: Index: 20, Size: 20</span> </div>
<div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body">
<p>While this tag can be used with the <a shape="rect" href="simple-theme.html">simple theme</a>, <a shape="rect" href="xhtml-theme.html">xhtml theme</a>, and others, it is really designed to work best with the <a shape="rect" href="ajax-theme.html">ajax theme</a>. We recommend reading the <a shape="rect" href="ajax-div-template.html">ajax div template</a> documentation for more details.</p></div></div>
Modified: websites/production/struts/content/docs/email-validator.html
==============================================================================
--- websites/production/struts/content/docs/email-validator.html (original)
+++ websites/production/struts/content/docs/email-validator.html Tue May 31 12:41:53 2016
@@ -144,7 +144,7 @@ under the License.
<p>The regular expression used to validate that the string is an email address is:</p>
<p></p><pre>
-\\b^['_a-z0-9-\\+]<span style="text-decoration: underline; ">(\\.['_a-z0-9-\\+]</span>)<strong>@[a-z0-9-]<span style="text-decoration: underline; ">(\\.[a-z0-9-]</span>)</strong>\\.([a-z]{2}|aero|arpa|asia|biz|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|nato|net|org|pro|tel|travel|xxx)$\\b
+\\b^['_a-z0-9-\\+]<span style="text-decoration: underline; ">(\\.['_a-z0-9-\\+]</span>)<strong>@[a-z0-9-]<span style="text-decoration: underline; ">(\\.[a-z0-9-]</span>)</strong>\\.([a-z]{2}|aero|arpa|asia|biz|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|nato|net|org|pro|tel|travel|xxx|tech|cat)$\\b
</pre>
<p>You can also specify expression, caseSensitive and trim params as a OGNL expression, see the example below.</p>
Modified: websites/production/struts/content/docs/file-upload.html
==============================================================================
--- websites/production/struts/content/docs/file-upload.html (original)
+++ websites/production/struts/content/docs/file-upload.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The Struts 2 framework provides built-in support for processing file uploads that conform to <a shape="rect" class="external-link" href="http://www.ietf.org/rfc/rfc1867.txt" rel="nofollow">RFC 1867</a>, "Form-based File Upload in HTML". When correctly configured the framework will pass uploaded file(s) into your Action class. Support for individual and multiple file uploads are provided. When a file is uploaded it will typically be stored in a temporary directory. Uploaded files should be processed or moved by your Action class to ensure the data is not lost. Be aware that servers may have a security policy in place that prohibits you from writing to directories other than the temporary directory and the directories that belong to your web application.</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1457693898117 {padding: 0px;}
-div.rbtoc1457693898117 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693898117 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698383595 {padding: 0px;}
+div.rbtoc1464698383595 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698383595 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693898117">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698383595">
<ul class="toc-indentation"><li><a shape="rect" href="#FileUpload-Dependencies">Dependencies</a></li><li><a shape="rect" href="#FileUpload-BasicUsage">Basic Usage</a></li><li><a shape="rect" href="#FileUpload-UploadingMultipleFiles">Uploading Multiple Files</a>
<ul class="toc-indentation"><li><a shape="rect" href="#FileUpload-UploadingMultipleFilesusingArrays">Uploading Multiple Files using Arrays</a></li><li><a shape="rect" href="#FileUpload-UploadingMultipleFilesusingLists">Uploading Multiple Files using Lists</a></li></ul>
</li><li><a shape="rect" href="#FileUpload-AdvancedConfiguration">Advanced Configuration</a>
Modified: websites/production/struts/content/docs/form-tags.html
==============================================================================
--- websites/production/struts/content/docs/form-tags.html (original)
+++ websites/production/struts/content/docs/form-tags.html Tue May 31 12:41:53 2016
@@ -148,7 +148,7 @@ under the License.
<h2 id="FormTags-TooltipRelatedAttributes">Tooltip Related Attributes</h2>
<p><table border="1" summary=""><tr><td colspan="1" rowspan="1">Attribute</td><td colspan="1" rowspan="1">Data Type</td><td colspan="1" rowspan="1">Default</td><td colspan="1" rowspan="1">Description</td></tr><tr><td colspan="1" rowspan="1">tooltip</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">none</td><td colspan="1" rowspan="1">Set the tooltip of this particular component</td></tr><tr><td colspan="1" rowspan="1">jsTooltipEnabled</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">false</td><td colspan="1" rowspan="1">Enable js tooltip rendering</td></tr><tr><td colspan="1" rowspan="1">tooltipIcon</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">/struts/static/tooltip/tooltip.gif</td><td colspan="1" rowspan="1">The url to the tooltip icon</td></tr><tr><td colspan="1" rowspan="1">tooltipDelay</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">500</td><td colspan="1" rowspan="1">Tooltip shows up aft
er the specified timeout (miliseconds). A behavior similar to that of OS based tooltips.</td></tr><tr><td colspan="1" rowspan="1">key</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">The name of the property this input field represents. This will auto populate the name, label, and value</td></tr></table></p>
<h2 id="FormTags-GeneralAttributes">General Attributes</h2>
-<p><table border="1" summary=""><thead><tr><td colspan="1" rowspan="1">Attribute</td><td colspan="1" rowspan="1">Theme</td><td colspan="1" rowspan="1">Data Types</td><td colspan="1" rowspan="1">Description</td></tr></thead><tbody><tr><td colspan="1" rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html class attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html style attribute</td></tr><tr><td colspan="1" rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">error class attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">error style attribute</td></tr><tr><td colspan="1" rowspan
="1">title</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html title attribute</td></tr><tr><td colspan="1" rowspan="1">disabled</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html disabled attribute</td></tr><tr><td colspan="1" rowspan="1">label</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define label of form element</td></tr><tr><td colspan="1" rowspan="1">labelPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define label position of form element (top/left), default to left</td></tr><tr><td colspan="1" rowspan="1">requiredPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define required label position of form element (left/right), default to rig
ht</td></tr><tr><td colspan="1" rowspan="1">errorPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define error position of form element (top|bottom), default to top</td></tr><tr><td colspan="1" rowspan="1">name</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">Form Element's field name mapping</td></tr><tr><td colspan="1" rowspan="1">required</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">Boolean</td><td colspan="1" rowspan="1">add * to label (true to add false otherwise)</td></tr><tr><td colspan="1" rowspan="1">tabIndex</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html tabindex attribute</td></tr><tr><td colspan="1" rowspan="1">value</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">Object</td><td colspan="1" rowspan="1">define value of form
element</td></tr></tbody></table></p>
+<p><table border="1" summary=""><thead><tr><td colspan="1" rowspan="1">Attribute</td><td colspan="1" rowspan="1">Theme</td><td colspan="1" rowspan="1">Data Types</td><td colspan="1" rowspan="1">Description</td></tr></thead><tbody><tr><td colspan="1" rowspan="1">cssClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html class attribute</td></tr><tr><td colspan="1" rowspan="1">cssStyle</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html style attribute</td></tr><tr><td colspan="1" rowspan="1">cssErrorClass</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">error class attribute</td></tr><tr><td colspan="1" rowspan="1">cssErrorStyle</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">error style attribute</td></tr><tr><td colspan="
1" rowspan="1">title</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html title attribute</td></tr><tr><td colspan="1" rowspan="1">disabled</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html disabled attribute</td></tr><tr><td colspan="1" rowspan="1">label</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define label of form element</td></tr><tr><td colspan="1" rowspan="1">labelPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define label position of form element (top/left), default to left</td></tr><tr><td colspan="1" rowspan="1">requiredPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define required label position of form element (left/right), defa
ult to right</td></tr><tr><td colspan="1" rowspan="1">errorPosition</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define error position of form element (top|bottom), default to top</td></tr><tr><td colspan="1" rowspan="1">name</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">Form Element's field name mapping</td></tr><tr><td colspan="1" rowspan="1">requiredLabel</td><td colspan="1" rowspan="1">xhtml</td><td colspan="1" rowspan="1">Boolean</td><td colspan="1" rowspan="1">add * to label (true to add false otherwise)</td></tr><tr><td colspan="1" rowspan="1">tabIndex</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">String</td><td colspan="1" rowspan="1">define html tabindex attribute</td></tr><tr><td colspan="1" rowspan="1">value</td><td colspan="1" rowspan="1">simple</td><td colspan="1" rowspan="1">Object</td><td colspan="1" rowspan="1">defin
e value of form element</td></tr></tbody></table></p>
<div class="confluence-information-macro confluence-information-macro-note"><p class="title">When some attributes don't apply</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Some tag attributes may not be utilized by all, or any, of the templates. For example, the form tag supports the <code>tabindex</code> attribute, but none of the themes render the <code>tabindex</code>.</p></div></div><h2 id="FormTags-Value/NameRelationship">Value/Name Relationship</h2><p>In many of the tags (except for the form tag) there is a unique relationship between the <code>name</code> and <code>value</code> attributes. The <code>name</code> attribute provides the name for the tag, which in turn is used as the control attribute when the form is submitted. The value submitted is bound to the <code>name</code>. In most cases, the <code>name</code> maps to a simple JavaBean property, such as "postalCode"
. On a submit, the value would be set to the property by calling the <code>setPostalCode</code> mutator.</p><p>Likewise, a form control could be populated by calling a JavaBean accessor, like <code>getPostalCode</code>. In the expression language, we can refer to the JavaBean property by name. An expression like "%{postalCode}" would in turn call <code>getPostalCode</code>.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Using Expressions to populate a form for editing</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><@s.form action="updateAddress">
<@s.textfield label="Postal Code" name="postalCode" value="%{postalCode}"/>
Modified: websites/production/struts/content/docs/freemarker.html
==============================================================================
--- websites/production/struts/content/docs/freemarker.html (original)
+++ websites/production/struts/content/docs/freemarker.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884162352 {padding: 0px;}
-div.rbtoc1453884162352 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884162352 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698178092 {padding: 0px;}
+div.rbtoc1464698178092 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698178092 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884162352">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698178092">
<ul class="toc-indentation"><li><a shape="rect" href="#FreeMarker-GettingStarted">Getting Started</a></li><li><a shape="rect" href="#FreeMarker-Servlet/JSPScopedObjects">Servlet / JSP Scoped Objects</a>
<ul class="toc-indentation"><li><a shape="rect" href="#FreeMarker-ApplicationScopeAttribute">Application Scope Attribute</a></li><li><a shape="rect" href="#FreeMarker-SessionScopeAttribute">Session Scope Attribute</a></li><li><a shape="rect" href="#FreeMarker-RequestScopeAttribute">Request Scope Attribute</a></li><li><a shape="rect" href="#FreeMarker-RequestParameter">Request Parameter</a></li><li><a shape="rect" href="#FreeMarker-Contextparameter">Context parameter</a></li></ul>
</li><li><a shape="rect" href="#FreeMarker-TemplateLoading">Template Loading</a></li><li><a shape="rect" href="#FreeMarker-VariableResolution">Variable Resolution</a></li><li><a shape="rect" href="#FreeMarker-TagSupport">Tag Support</a></li><li><a shape="rect" href="#FreeMarker-TipsandTricks">Tips and Tricks</a>
Modified: websites/production/struts/content/docs/interceptors.html
==============================================================================
--- websites/production/struts/content/docs/interceptors.html (original)
+++ websites/production/struts/content/docs/interceptors.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-tip"><span class="aui-icon aui-icon-small aui-iconfont-approve confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>The default Interceptor stack is designed to serve the needs of most applications. Most applications will <strong>not</strong> need to add Interceptors or change the Interceptor stack.</p></div></div><p>Many Actions share common concerns. Some Actions need input validated. Other Actions may need a file upload to be pre-processed. Another Action might need protection from a double submit. Many Actions need drop-down lists and other controls pre-populated before the page displays.</p><p>The framework makes it easy to share solutions to these concerns using an "Interceptor" strategy. When you request a resource that maps to an "action", the framework invokes the Action object. But, before the Action is executed, the invocatio
n can be intercepted by another object. After the Action executes, the invocation could be intercepted again. Unsurprisingly, we call these objects "Interceptors."</p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884069963 {padding: 0px;}
-div.rbtoc1453884069963 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884069963 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698104770 {padding: 0px;}
+div.rbtoc1464698104770 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698104770 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884069963">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698104770">
<ul class="toc-indentation"><li><a shape="rect" href="#Interceptors-UnderstandingInterceptors">Understanding Interceptors</a></li><li><a shape="rect" href="#Interceptors-ConfiguringInterceptors">Configuring Interceptors</a></li><li><a shape="rect" href="#Interceptors-StackingInterceptors">Stacking Interceptors</a>
<ul class="toc-indentation"><li><a shape="rect" href="#Interceptors-TheDefaultConfiguration">The Default Configuration</a></li></ul>
</li><li><a shape="rect" href="#Interceptors-FrameworkInterceptors">Framework Interceptors</a>
@@ -229,14 +229,28 @@ div.rbtoc1453884069963 li {margin-left:
<struts>
<constant name="struts.excludedClasses"
- value="com.opensymphony.xwork2.ActionContext" />
+ value="
+ java.lang.Object,
+ java.lang.Runtime,
+ java.lang.System,
+ java.lang.Class,
+ java.lang.ClassLoader,
+ java.lang.Shutdown,
+ java.lang.ProcessBuilder,
+ ognl.OgnlContext,
+ ognl.ClassResolver,
+ ognl.TypeConverter,
+ ognl.MemberAccess,
+ ognl.DefaultMemberAccess,
+ com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+ com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
<!-- it's more flexible but slower than simple string comparison -->
<!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
<!-- this is simpler version of the above used with string comparison -->
- <constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" />
+ <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
Modified: websites/production/struts/content/docs/localization.html
==============================================================================
--- websites/production/struts/content/docs/localization.html (original)
+++ websites/production/struts/content/docs/localization.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884138831 {padding: 0px;}
-div.rbtoc1453884138831 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1453884138831 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698162642 {padding: 0px;}
+div.rbtoc1464698162642 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698162642 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884138831">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698162642">
<ul class="toc-indentation"><li><a shape="rect" href="#Localization-Overview">Overview</a></li><li><a shape="rect" href="#Localization-ResourceBundleSearchOrder">Resource Bundle Search Order</a>
<ul class="toc-indentation"><li><a shape="rect" href="#Localization-Defaultaction'sclass">Default action's class</a></li><li><a shape="rect" href="#Localization-UsinggetTextfromaTag">Using getText from a Tag</a></li><li><a shape="rect" href="#Localization-Usingthetexttag">Using the text tag</a></li><li><a shape="rect" href="#Localization-UsingtheI18ntag">Using the I18n tag</a></li><li><a shape="rect" href="#Localization-UsingtheKeyattributeofUITags">Using the Key attribute of UI Tags</a></li></ul>
</li><li><a shape="rect" href="#Localization-I18nInterceptor">I18n Interceptor</a></li><li><a shape="rect" href="#Localization-GlobalResources(struts.custom.i18n.resources)instruts.properties">Global Resources (struts.custom.i18n.resources) in struts.properties</a></li><li><a shape="rect" href="#Localization-FormattingDatesandNumbers">Formatting Dates and Numbers</a></li><li><a shape="rect" href="#Localization-ComparisonwithStruts1">Comparison with Struts 1</a></li><li><a shape="rect" href="#Localization-Next:">Next: Type Conversion</a></li></ul>
Modified: websites/production/struts/content/docs/result-configuration.html
==============================================================================
--- websites/production/struts/content/docs/result-configuration.html (original)
+++ websites/production/struts/content/docs/result-configuration.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1457693886833 {padding: 0px;}
-div.rbtoc1457693886833 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693886833 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698203092 {padding: 0px;}
+div.rbtoc1464698203092 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698203092 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693886833">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698203092">
<ul class="toc-indentation"><li><a shape="rect" href="#ResultConfiguration-ResultElements">Result Elements</a>
<ul class="toc-indentation"><li><a shape="rect" href="#ResultConfiguration-IntelligentDefaults">Intelligent Defaults</a></li><li><a shape="rect" href="#ResultConfiguration-Multiplenames">Multiple names</a></li></ul>
</li><li><a shape="rect" href="#ResultConfiguration-GlobalResults">Global Results</a></li><li><a shape="rect" href="#ResultConfiguration-DynamicResults">Dynamic Results</a></li><li><a shape="rect" href="#ResultConfiguration-ReturningResultObjects">Returning Result Objects</a></li></ul>
@@ -155,12 +155,10 @@ String INPUT = "input";
String LOGIN = "login";
</pre>
</div></div><p>Of course, applications can define other result tokens to match specific cases.</p><p><img class="emoticon emoticon-information" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/information.png" data-emoticon-name="information" alt="(info)"> Returning <code><a shape="rect" class="external-link" href="http://struts.apache.org/2.x/struts2-core/apidocs/com/opensymphony/xwork2/Action.html#NONE">ActionSupport.NONE</a></code> (or <code>null</code>) from an <a shape="rect" href="action.html">action</a> class method causes the results processing to be skipped. This is useful if the action fully handles the result processing such as writing directly to the HttpServletResponse OutputStream.</p><h2 id="ResultConfiguration-ResultElements">Result Elements</h2><p>The result element has two jobs. First, it provides a logical name. An <code>Action</code> can pass back a token like "success" or "error" without kn
owing any other implementation details. Second, the result element provides a result type. Most results simply forward to a server page or template, but other <a shape="rect" href="result-types.html">Result Types</a> can be used to do more interesting things.</p><h3 id="ResultConfiguration-IntelligentDefaults">Intelligent Defaults</h3><p>Each package may set a default result type to be used if none is specified in a result element. If one package extends another, the "child" package can set its own default result, or inherit one from the parent.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Setting a default Result Type</b></div><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">public Result runAction() {
- ServletDispatcherResult result = new ServletDispatcherResult();
- result.setLocation("input-form.jsp");
- return result;
-}
-</pre>
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><result-types>
+ <result-type name="dispatcher" default="true"
+ class="org.apache.struts2.dispatcher.ServletDispatcherResult" />
+</result-types></pre>
</div></div><p>If a <code>type</code> attribute is not specified, the framework will use the default <code>dispatcher</code> type, which forwards to another web resource. If the resource is a JavaServer Page, then the container will render it, using its JSP engine.</p><p>Likewise if the <code>name</code> attribute is not specified, the framework will give it the name "success".</p><p>Using these intelligent defaults, the most often used result types also become the simplest.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Result element without defaults</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><result name="success" type="dispatcher">
<param name="location">/ThankYou.jsp</param>
Modified: websites/production/struts/content/docs/s2-027.html
==============================================================================
--- websites/production/struts/content/docs/s2-027.html (original)
+++ websites/production/struts/content/docs/s2-027.html Tue May 31 12:41:53 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-027-Summary">Summary</h2><code>TextParseUtil.translateVariables</code> does not filter malicious OGNL expressions<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Remote Code Execution, when unsanitized user input is passed to the method by a developer</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don't pass unsanitized input to the said method or ActionSupport's
getText methods. An upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts23241">Struts 2.3.24.1</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Huawei PSIRT Team</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-027-Problem">Problem</h2><p><code>TextParseUtil.translateVariables</code><span> evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to sa
id method, cause a remote code execution.</span></p><p><span>The Struts 2 framework does not pass any user modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to <span>TextParseUtil.translateVariables</span> or ActionSupport's getText methods. In that case a RCE exploitation might be possible.</span></p><h2 id="S2-027-Solution">Solution</h2><ul><li>don't pass unsanitized user input to framework methods that include OGNL expression evaluation</li><li>upgrade to Struts 2.3.24.1. Since Struts 2.3.20 advanced filtering was applied to this and similar methods involving OGNL evaluation.</li></ul><p> </p></div>
+ <div id="ConfluenceContent"><h2 id="S2-027-Summary">Summary</h2><code>TextParseUtil.translateVariables</code> does not filter malicious OGNL expressions<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Remote Code Execution, when unsanitized user input is passed to the method by a developer</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don't pass unsanitized input to the said method or ActionSupport's
getText methods. An upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts23241">Struts 2.3.24.1</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Huawei PSIRT Team</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3090</p></td></tr></tbody></table></div><h2 id="S2-027-Problem">Problem</h2><p><code>TextParseUtil.translateVariables</code><span> evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to said method, cause a remote code
execution.</span></p><p><span>The Struts 2 framework does not pass any user modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to <span>TextParseUtil.translateVariables</span> or ActionSupport's getText methods. In that case a RCE exploitation might be possible.</span></p><h2 id="S2-027-Solution">Solution</h2><ul><li>don't pass unsanitized user input to framework methods that include OGNL expression evaluation</li><li>upgrade to Struts 2.3.24.1. Since Struts 2.3.20 advanced filtering was applied to this and similar methods involving OGNL evaluation.</li></ul><p> </p></div>
</div>
Added: websites/production/struts/content/docs/s2-033.html
==============================================================================
--- websites/production/struts/content/docs/s2-033.html (added)
+++ websites/production/struts/content/docs/s2-033.html Tue May 31 12:41:53 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-033</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-033.html">S2-033</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-033</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62696555">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62696555">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62696555">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62696555">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62696555">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62696555">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-033-Summary">Summary</h2>Remote Code Execution can be performed when using REST Plugin with <code>!</code> operator when Dynamic Method Invocation is enabled.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Disable Dynamic Method Invocation if possible. Alternatively upgrade
to <a shape="rect" href="version-notes-23203.html">Struts 2.3.20.3</a><span>, <a shape="rect" href="version-notes-23243.html">Struts 2.3.24.3</a><span> </span><span>or </span></span><a shape="rect" href="version-notes-2328.html">Struts 2.3.28.1</a>.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.20 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Alvaro </span>Munoz alvaro dot munoz at hpe dot com</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3087</p></td></tr></tbody></table></div><h2 id="S2-033-Problem">Problem</h2><p>It is possible to pass a malicious expression which
can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin.</p><h2 id="S2-033-Solution">Solution</h2><p>Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions 2.3.20.3, 2.3.24.3 or 2.3.28.1.</p><h2 id="S2-033-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1</p><h2 id="S2-033-Workaround">Workaround</h2><p>Disable Dynamic Method Invocation or implement your own version of <code>RestActionMapper</code>.</p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Added: websites/production/struts/content/docs/s2-034.html
==============================================================================
--- websites/production/struts/content/docs/s2-034.html (added)
+++ websites/production/struts/content/docs/s2-034.html Tue May 31 12:41:53 2016
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-034</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-034.html">S2-034</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-034</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62697718">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62697718">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62697718">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62697718">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62697718">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62697718">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-034-Summary">Summary</h2>OGNL cache poisoning can lead to DoS vulnerability<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible DoS attack</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>This issue was resolved by publising new OGNL version, any Struts version which at least is using OGNL 3.0.12 is safe.</p></td></tr><tr><th colspan="1" rowspa
n="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts<span style="color: rgb(23,35,59);"> 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporters</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>Tao </span>Wang wangtao12 at baidu dot com - Baidu Security Response Center</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-3093</p></td></tr></tbody></table></div><h2 id="S2-034-Problem">Problem</h2><p>The OGNL expression language used by the Apache Struts framework has inproper implementaion of cache used to store method references. It's possible to prepare a DoS attack which can block access to a web site.</p><h2 id="S2-034-Solution">Solution</h2><p>You can should upgrade OGNL at least to version 3.0.12 or by upgrading to latest Struts version.</p><h2
id="S2-034-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to OGNL or Struts.</p><h2 id="S2-034-Workaround">Workaround</h2><p>Not possible except upgrading OGNL as mentioned above.</p><p> </p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Tue May 31 12:41:53 2016
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,12 @@ under the License.
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
+ $page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (original)
+++ websites/production/struts/content/docs/security.html Tue May 31 12:41:53 2016
@@ -139,13 +139,13 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1458203471142 {padding: 0px;}
-div.rbtoc1458203471142 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1458203471142 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698397043 {padding: 0px;}
+div.rbtoc1464698397043 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1464698397043 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1458203471142">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698397043">
<ul class="toc-indentation"><li><a shape="rect" href="#Security-Securitytips">Security tips</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</a></li><li><a shape="rect" href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</a></li><li><a shape="rect" href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a shape="rect" href="#Security-Reducelogginglevel">Reduce logging level</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li></ul>
</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal security mechanism</a>
<ul class="toc-indentation"><li><a shape="rect" href="#Security-Accessingstaticmethods">Accessing static methods</a></li><li><a shape="rect" href="#Security-OGNLisusedtocallaction'smethods">OGNL is used to call action's methods</a></li><li><a shape="rect" href="#Security-Accepted/Excludedpatterns">Accepted / Excluded patterns</a></li><li><a shape="rect" href="#Security-StrictMethodInvocation">Strict Method Invocation</a></li></ul>
</li></ul>
@@ -177,7 +177,23 @@ div.rbtoc1458203471142 li {margin-left:
<description>Don't assign users to this role</description>
<role-name>no-users</role-name>
</security-role></pre>
-</div></div><p>The best approach is to used the both solutions.</p><h4 id="Security-DisabledevMode">Disable devMode</h4><p>The <code style="line-height: 1.4285715;">devMode</code> is a very useful option during development time, allowing for deep introspection and debugging into you app.</p><p>However, in production it exposes your application to be presenting too many informations on application's internals or to evaluating risky parameter expressions.</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">How to disable devMode in production</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Please <strong>always disable <code>devMode</code></strong> before deploying your application to a production environment. While it is disabled by default, your struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production deployment:</p><pre><span><</span><span style="color: rgb(0,0,128);">constant </span><span style="color: rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode" </span><span style="color: rgb(0,0,255);">value</span><span style="color: rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><p> </p><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always use <code>UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The best approach is to used the both solutions.</p><h4 id="Security-DisabledevMode">Disable devMode</h4><p>The <code style="line-height: 1.4285715;">devMode</code> is a very useful option during development time, allowing for deep introspection and debugging into you app.</p><p>However, in production it exposes your application to be presenting too many informations on application's internals or to evaluating risky parameter expressions.</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">How to disable devMode in production</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Please <strong>always disable <code>devMode</code></strong> before deploying your application to a production environment. While it is disabled by default, your struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production deployment:</p><pre><span><</span><span style="color: rgb(0,0,128);">constant </span><span style="color: rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode" </span><span style="color: rgb(0,0,255);">value</span><span style="color: rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><h4 id="Security-Reducelogginglevel">Reduce logging level</h4><p>It's a good practice to reduce logging level from <strong>DEBUG</strong> to <strong>INFO</strong> or less. Framework's classes can produce a lot of logging entries which will pollute the log file. You can even set logging level to <strong>WARN</strong> for classes that belongs to the framework, see example Log4j2 configuration:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+ <Appenders>
+ <Console name="STDOUT" target="SYSTEM_OUT">
+ <PatternLayout pattern="%d %-5p [%t] %C{2} (%F:%L) - %m%n"/>
+ </Console>
+ </Appenders>
+ <Loggers>
+ <Logger name="com.opensymphony.xwork2" level="warn"/>
+ <Logger name="org.apache.struts2" level="warn"/>
+ <Root level="info">
+ <AppenderRef ref="STDOUT"/>
+ </Root>
+ </Loggers>
+</Configuration></pre>
+</div></div><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always use <code>UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><%@ page contentType="text/html; charset=UTF-8" %></pre>
</div></div><h3 id="Security-Internalsecuritymechanism">Internal security mechanism</h3><p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it's a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions used in JSPs, etc.</p><p>There are three options that can be used to configure excluded packages and classes:</p><ul style="list-style-type: square;"><li><code>struts.excludedClasses</code> - comma-separated list of excluded classes</li><li><code>struts.excludedPackageNamePatterns</code> - patterns used to exclude packages based on RegEx - this option is slower than simple string comparison but it's more flexible</li><li><code>struts.excludedPackageNames</code> - comma-separated list of excluded packages, it is used with simple string comparison via <code>startWith</code> and <code>equals</code></li></ul><p>The defaults are as follow:</p><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.excludedClasses"
Modified: websites/production/struts/content/docs/struts-defaultxml.html
==============================================================================
--- websites/production/struts/content/docs/struts-defaultxml.html (original)
+++ websites/production/struts/content/docs/struts-defaultxml.html Tue May 31 12:41:53 2016
@@ -181,14 +181,28 @@ under the License.
<struts>
<constant name="struts.excludedClasses"
- value="com.opensymphony.xwork2.ActionContext" />
+ value="
+ java.lang.Object,
+ java.lang.Runtime,
+ java.lang.System,
+ java.lang.Class,
+ java.lang.ClassLoader,
+ java.lang.Shutdown,
+ java.lang.ProcessBuilder,
+ ognl.OgnlContext,
+ ognl.ClassResolver,
+ ognl.TypeConverter,
+ ognl.MemberAccess,
+ ognl.DefaultMemberAccess,
+ com.opensymphony.xwork2.ognl.SecurityMemberAccess,
+ com.opensymphony.xwork2.ActionContext" />
<!-- this must be valid regex, each '.' in package name must be escaped! -->
<!-- it's more flexible but slower than simple string comparison -->
<!-- constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" / -->
<!-- this is simpler version of the above used with string comparison -->
- <constant name="struts.excludedPackageNames" value="java.lang,ognl,javax" />
+ <constant name="struts.excludedPackageNames" value="java.lang.,ognl,javax" />
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
Modified: websites/production/struts/content/docs/type-conversion.html
==============================================================================
--- websites/production/struts/content/docs/type-conversion.html (original)
+++ websites/production/struts/content/docs/type-conversion.html Tue May 31 12:41:53 2016
@@ -141,11 +141,11 @@ under the License.
<div id="ConfluenceContent"><p>Routine type conversion in the framework is transparent. Generally, all you need to do is ensure that HTML inputs have names that can be used in <a shape="rect" href="ognl.html">OGNL</a> expressions. (HTML inputs are form elements and other GET/POST parameters.)</p>
<style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884182286 {padding: 0px;}
-div.rbtoc1453884182286 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1453884182286 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698191529 {padding: 0px;}
+div.rbtoc1464698191529 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1464698191529 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style><div class="toc-macro rbtoc1453884182286">
+/*]]>*/</style><div class="toc-macro rbtoc1464698191529">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#TypeConversion-BuiltinTypeConversionSupport">Built in Type Conversion Support</a></li><li><span class="TOCOutline">2</span> <a shape="rect" href="#TypeConversion-RelationshiptoParameterNames">Relationship to Parameter Names</a></li><li><span class="TOCOutline">3</span> <a shape="rect" href="#TypeConversion-CreatingaTypeConverter">Creating a Type Converter</a></li><li><span class="TOCOutline">4</span> <a shape="rect" href="#TypeConversion-ApplyingaTypeConvertertoanAction">Applying a Type Converter to an Action</a></li><li><span class="TOCOutline">5</span> <a shape="rect" href="#TypeConversion-ApplyingaTypeConvertertoabeanormodel">Applying a Type Converter to a bean or model</a></li><li><span class="TOCOutline">6</span> <a shape="rect" href="#TypeConversion-ApplyingaTypeConverterforanapplication">Applying a Type Converter for an application</a></li><li><span class="TOCOutline">7</span> <a shape="r
ect" href="#TypeConversion-ASimpleExample">A Simple Example</a></li><li><span class="TOCOutline">8</span> <a shape="rect" href="#TypeConversion-AdvancedTypeConversion">Advanced Type Conversion</a>
<ul class="toc-indentation"><li><span class="TOCOutline">8.1</span> <a shape="rect" href="#TypeConversion-NullPropertyHandling">Null Property Handling</a></li><li><span class="TOCOutline">8.2</span> <a shape="rect" href="#TypeConversion-CollectionandMapSupport">Collection and Map Support</a>
<ul class="toc-indentation"><li><span class="TOCOutline">8.2.1</span> <a shape="rect" href="#TypeConversion-Indexingacollectionbyapropertyofthatcollection">Indexing a collection by a property of that collection</a></li></ul>
Modified: websites/production/struts/content/docs/validation.html
==============================================================================
--- websites/production/struts/content/docs/validation.html (original)
+++ websites/production/struts/content/docs/validation.html Tue May 31 12:41:53 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>Struts 2 validation is configured via XML or annotations. Manual validation in the action is also possible, and may be combined with XML and annotation-driven validation.</p><p>Validation also depends on both the <code>validation</code> and <code>workflow</code> interceptors (both are included in the default interceptor stack). The <code>validation</code> interceptor does the validation itself and creates a list of field-specific errors. The <code>workflow</code> interceptor checks for the presence of validation errors: if any are found, it returns the "input" result (by default), taking the user back to the form which contained the validation errors.</p><p>If we're using the default settings <em>and</em> our action doesn't have an "input" result defined <em>and</em> there are validation (or, incidentally, type conversion) errors, we'll get an error message back telling us there's no "input" result defined for the action.</p><p><strong>CONT
ENTS</strong></p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1453884324955 {padding: 0px;}
-div.rbtoc1453884324955 ul {list-style: none;margin-left: 0px;}
-div.rbtoc1453884324955 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1464698322819 {padding: 0px;}
+div.rbtoc1464698322819 ul {list-style: none;margin-left: 0px;}
+div.rbtoc1464698322819 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1453884324955">
+/*]]>*/</style></p><div class="toc-macro rbtoc1464698322819">
<ul class="toc-indentation"><li><span class="TOCOutline">1</span> <a shape="rect" href="#Validation-UsingAnnotations">Using Annotations</a></li><li><span class="TOCOutline">2</span> <a shape="rect" href="#Validation-BeanValidation">Bean Validation</a></li><li><span class="TOCOutline">3</span> <a shape="rect" href="#Validation-Examples">Examples</a></li><li><span class="TOCOutline">4</span> <a shape="rect" href="#Validation-BundledValidators">Bundled Validators</a></li><li><span class="TOCOutline">5</span> <a shape="rect" href="#Validation-RegisteringValidators">Registering Validators</a></li><li><span class="TOCOutline">6</span> <a shape="rect" href="#Validation-TurningonValidation">Turning on Validation</a></li><li><span class="TOCOutline">7</span> <a shape="rect" href="#Validation-ValidatorScopes">Validator Scopes</a>
<ul class="toc-indentation"><li><span class="TOCOutline">7.1</span> <a shape="rect" href="#Validation-Notes">Notes</a></li></ul>
</li><li><span class="TOCOutline">8</span> <a shape="rect" href="#Validation-DefiningValidationRules">Defining Validation Rules</a></li><li><span class="TOCOutline">9</span> <a shape="rect" href="#Validation-LocalizingandParameterizingMessages">Localizing and Parameterizing Messages</a></li><li><span class="TOCOutline">10</span> <a shape="rect" href="#Validation-ValidatorFlavor">Validator Flavor</a></li><li><span class="TOCOutline">11</span> <a shape="rect" href="#Validation-Non-FieldValidatorVsField-Validatorvalidatortypes">Non-Field Validator Vs Field-Validator</a></li><li><span class="TOCOutline">12</span> <a shape="rect" href="#Validation-Short-CircuitingValidator">Short-Circuiting Validator</a></li><li><span class="TOCOutline">13</span> <a shape="rect" href="#Validation-HowValidatorsofanActionareFound">How Validators of an Action are Found</a></li><li><span class="TOCOutline">14</span> <a shape="rect" href="#Validation-Writingcustomvalidators">Writing custom validators</a></li>
<li><span class="TOCOutline">15</span> <a shape="rect" href="#Validation-Resources">Resources</a></li><li><span class="TOCOutline">16</span> <a shape="rect" href="#Validation-Next:">Next: Localization</a></li></ul>