You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/05 16:27:04 UTC
svn commit: r908092 - in
/websites/production/struts/content/release/2.3.x/docs:
migration-guide.html s2-021.html s2-022.html security-bulletins.html
security.html version-notes-23162.html version-notes-23163.html
Author: lukaszlenart
Date: Mon May 5 14:27:04 2014
New Revision: 908092
Log:
Updates exported pages
Added:
websites/production/struts/content/release/2.3.x/docs/s2-022.html
websites/production/struts/content/release/2.3.x/docs/version-notes-23163.html
Modified:
websites/production/struts/content/release/2.3.x/docs/migration-guide.html
websites/production/struts/content/release/2.3.x/docs/s2-021.html
websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
websites/production/struts/content/release/2.3.x/docs/security.html
websites/production/struts/content/release/2.3.x/docs/version-notes-23162.html
Modified: websites/production/struts/content/release/2.3.x/docs/migration-guide.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/migration-guide.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/migration-guide.html Mon May 5 14:27:04 2014
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-2318.html">Version Notes 2.3.18</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-notes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-no
tes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3><ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></l
i><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">Version Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Versio
n Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="rect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rect" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" hr
ef="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan=
"1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Development tools to help aid the migration process.</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.infoq.com/news/migrating-struts2" rel="nofollow">Migrating Applications to Struts 2
</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new">Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html" rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><t
h colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-latest-version-the-framework.html">Where do we get the latest version the framework</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li><a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a
></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div>
+ <div id="ConfluenceContent"><p>Getting here from there.</p><h3 id="MigrationGuide-VersionNotes2.3.x">Version Notes 2.3.x</h3><ul><li><a shape="rect" href="version-notes-2318.html">Version Notes 2.3.18</a></li><li><a shape="rect" href="version-notes-23163.html">Version Notes 2.3.16.3</a></li><li><a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16.1</a></li><li><a shape="rect" href="version-notes-2316.html">Version Notes 2.3.16</a></li><li><a shape="rect" href="version-notes-23153.html">Version Notes 2.3.15.3</a></li><li><a shape="rect" href="version-notes-23152.html">Version Notes 2.3.15.2</a></li><li><a shape="rect" href="version-notes-23151.html">Version Notes 2.3.15.1</a></li><li><a shape="rect" href="version-notes-2315.html">Version Notes 2.3.15</a></li><li><a shape="rect" href="version-notes-23143.html">Version Notes 2.3.14.3</a></li><li><a shape="rect" href="version-no
tes-23142.html">Version Notes 2.3.14.2</a></li><li><a shape="rect" href="version-notes-23141.html">Version Notes 2.3.14.1</a></li><li><a shape="rect" href="version-notes-2314.html">Version Notes 2.3.14</a></li><li><a shape="rect" href="version-notes-23120.html">Version Notes 2.3.12.0</a></li><li><a shape="rect" href="version-notes-238.html">Version Notes 2.3.8</a></li><li><a shape="rect" href="version-notes-237.html">Version Notes 2.3.7</a></li><li><a shape="rect" href="version-notes-2341.html">Version Notes 2.3.4.1</a></li><li><a shape="rect" href="version-notes-234.html">Version Notes 2.3.4</a></li><li><a shape="rect" href="version-notes-233.html">Version Notes 2.3.3</a></li><li><a shape="rect" href="version-notes-2312.html">Version Notes 2.3.1.2</a></li><li><a shape="rect" href="version-notes-2311.html">Version Notes 2.3.1.1</a></li><li><a shape="rect" href="version-notes-231.html">Version Notes 2.3.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.2.x">Version Notes 2.2.x</h3>
<ul><li><a shape="rect" href="version-notes-2231.html">Version Notes 2.2.3.1</a></li><li><a shape="rect" href="version-notes-223.html">Version Notes 2.2.3</a></li><li><a shape="rect" href="version-notes-2211.html">Version Notes 2.2.1.1</a></li><li><a shape="rect" href="version-notes-221.html">Version Notes 2.2.1</a></li></ul><h3 id="MigrationGuide-VersionNotes2.1.x">Version Notes 2.1.x</h3><ul><li><a shape="rect" href="version-notes-2181.html">Version Notes 2.1.8.1</a></li><li><a shape="rect" href="version-notes-218.html">Version Notes 2.1.8</a></li><li><a shape="rect" href="version-notes-216.html">Version Notes 2.1.6</a></li><li><a shape="rect" href="version-notes-215.html">Version Notes 2.1.5</a></li><li><a shape="rect" href="version-notes-214.html">Version Notes 2.1.4</a></li><li><a shape="rect" href="version-notes-213.html">Version Notes 2.1.3</a></li><li><a shape="rect" href="version-notes-212.html">Version Notes 2.1.2</a></li><li><a shape="rect" href="version-notes-211.html">V
ersion Notes 2.1.1</a></li><li><a shape="rect" href="version-notes-210.html">Version Notes 2.1.0</a></li></ul><h3 id="MigrationGuide-ReleaseNotes2.0.x">Release Notes 2.0.x</h3><ul><li><a shape="rect" href="release-notes-2014.html">Release Notes 2.0.14</a></li><li><a shape="rect" href="release-notes-2013.html">Release Notes 2.0.13</a></li><li><a shape="rect" href="release-notes-2012.html">Release Notes 2.0.12</a></li><li><a shape="rect" href="release-notes-20112.html">Release Notes 2.0.11.2</a></li><li><a shape="rect" href="release-notes-20111.html">Release Notes 2.0.11.1</a></li><li><a shape="rect" href="release-notes-2011.html">Release Notes 2.0.11</a></li><li><a shape="rect" href="release-notes-2010.html">Release Notes 2.0.10</a></li><li><a shape="rect" href="release-notes-209.html">Release Notes 2.0.9</a></li><li><a shape="rect" href="release-notes-208.html">Release Notes 2.0.8</a></li><li><a shape="rect" href="release-notes-207.html">Release Notes 2.0.7</a></li><li><a shape="rec
t" href="release-notes-206.html">Release Notes 2.0.6</a></li><li><a shape="rect" href="release-notes-205.html">Release Notes 2.0.5</a></li><li><a shape="rect" href="release-notes-204.html">Release Notes 2.0.4</a></li><li><a shape="rect" href="release-notes-203.html">Release Notes 2.0.3</a></li><li><a shape="rect" href="release-notes-202.html">Release Notes 2.0.2</a></li><li><a shape="rect" href="release-notes-201.html">Release Notes 2.0.1</a></li><li><a shape="rect" href="release-notes-200.html">Release Notes 2.0.0</a></li></ul><h3 id="MigrationGuide-Struts1toStruts2">Struts 1 to Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="comparing-struts-1-and-2.html">Comparing Struts 1 and 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>How are Struts 1 and Struts 2 alike? How are they different?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shap
e="rect" href="struts-1-solutions.html">Struts 1 Solutions</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Various issues (and hopefully their solutions!) encountered during migrations to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-strategies.html">Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating Struts 1 applications to Struts 2.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="migration-tools.html">Migration Tools</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Development tools to help aid the migration process.</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Tutorials">Tutorials</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.
infoq.com/news/migrating-struts2" rel="nofollow">Migrating Applications to Struts 2 </a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>A three-part series by Ian Roughley (Sep 2006)</p></td></tr></tbody></table></div><h4 id="MigrationGuide-Roadmap">Roadmap</h4><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://struts.apache.org/roadmap.html#new">Roadmap FAQ</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What's in store for Struts 2?</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" class="external-link" href="http://www.oreillynet.com/onjava/blog/2006/10/my_history_of_struts_2.html" rel="nofollow">A History of Struts 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Don Brown's summary of events</p></td></tr></tbody></table></div><h3 id="MigrationGuide-Webwork2.2toStruts2">Webwork 2.2 t
o Struts 2</h3><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="key-changes-from-webwork-2.html">Key Changes From WebWork 2</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>What has been removed or changed from WebWork 2.2 to Struts 2</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p><a shape="rect" href="webwork-2-migration-strategies.html">WebWork 2 Migration Strategies</a></p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Steps and overall strategies for migrating WebWork 2 applications to Struts 2.</p></td></tr></tbody></table></div><h2 id="MigrationGuide-FAQs">FAQs</h2><ul><li><a shape="rect" href="where-do-we-get-the-latest-version-the-framework.html">Where do we get the latest version the framework</a>?</li><li><a shape="rect" href="what-are-some-of-the-frameworks-best-features.html">What are some of the framework's best features</a>?</li><li>
<a shape="rect" href="what-is-the-actioncontext.html">What is the ActionContext?</a></li></ul><h2 id="MigrationGuide-Next:">Next: <a shape="rect" href="contributors-guide.html">Contributors Guide</a></h2></div>
</div>
<div class="tabletitle">
@@ -319,6 +319,9 @@ under the License.
$page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
+ $page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
</div>
</div>
Modified: websites/production/struts/content/release/2.3.x/docs/s2-021.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-021.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/s2-021.html Mon May 5 14:27:04 2014
@@ -134,7 +134,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-021-Summary">Summary</h2>Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>ClassLoader manipulation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://struts.apac
he.org/download.cgi#struts23162">Struts 2.3.16.2</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Taki Uchiyama (JPCERT/CC), <br clear="none">Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Yoshiyuki Karezaki (Yoshiyuki.Karezaki at scsk.jp)<br clear="none"><span style="line-height: 1.4285715;">BAKA/ty (<span style="color: rgb(85,85,85);">121605589 at qq.com)</span>, <br clear="none"></span><span style="line-height: 1.4285715;">Shine (1983059165 at qq.com), <br clear="none">NSFOCUS Security Team,<br clear="none"></span><span style="line-height: 1.4285715;">heige (zhoujp at knownsec.com</span>)</p></td></tr><tr><th cols
pan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>CVE-2014-0112 - </span>Incomplete fix for ClassLoader manipulation via ParametersInterceptor</p><p><span>CVE-2014-0113 - </span>ClassLoader manipulation via CookieInterceptor when configured to accept all cookies</p></td></tr></tbody></table></div><h2 id="S2-021-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-021-Solution">Solution</h2><p>In Struts 2.3.16.2 improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.</p><h2 id="S2-021-Backwardcompatibility">Backward compatibility</h2
><p>No backward compatibility problems are expected.</p><h2 id="S2-021-Workaround">Workaround</h2><h2 id="S2-021-Ifyoucannotupgradetoversion2.3.16.2immediately-whichisstronglyadvised-youcanapplybelowworkarounds:"><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.2 immediately - <strong>which is strongly advised -</strong> you can apply below workarounds:</span></h2><h3 id="S2-021-Exclude'class'parameter"><span style="line-height: 1.5625;">Exclude 'class' parameter</span></h3><p>Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2 id="S2-021-Summary">Summary</h2>Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>ClassLoader manipulation</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" href="http://struts.apac
he.org/download.cgi#struts23162">Struts 2.3.16.2</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">NTT-CERT via JPCERT/CC</span>, <br clear="none">Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), <br clear="none">Yoshiyuki Karezaki (Yoshiyuki.Karezaki at scsk.jp)<br clear="none"><span style="line-height: 1.4285715;">BAKA/ty (<span style="color: rgb(85,85,85);">121605589 at qq.com)</span>, <br clear="none"></span><span style="line-height: 1.4285715;"><span style="color: rgb(34,34,34);">Nebula (</span><span style="color: rgb(34,34,34);">Chibi, Hubei, CN</span><span style="color: rgb(34,34,34);">), Hello
World security team</span>, <br clear="none">NSFOCUS Security Team,<br clear="none"></span><span style="line-height: 1.4285715;">heige (zhoujp at knownsec.com</span>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>CVE-2014-0112 - </span>Incomplete fix for ClassLoader manipulation via ParametersInterceptor</p><p><span>CVE-2014-0113 - </span>ClassLoader manipulation via CookieInterceptor when configured to accept all cookies</p></td></tr></tbody></table></div><h2 id="S2-021-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-021-Solution">Solutio
n</h2><p>In Struts 2.3.16.2 improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.</p><h2 id="S2-021-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-021-Workaround">Workaround</h2><h2 id="S2-021-Ifyoucannotupgradetoversion2.3.16.2immediately-whichisstronglyadvised-youcanapplybelowworkarounds:"><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.2 immediately - <strong>which is strongly advised -</strong> you can apply below workarounds:</span></h2><h3 id="S2-021-Exclude'class'parameter"><span style="line-height: 1.5625;">Exclude 'class' parameter</span></h3><p>Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[<interceptor-ref name="params">
<param name="excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>]]></script>
Added: websites/production/struts/content/release/2.3.x/docs/s2-022.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/s2-022.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/s2-022.html Mon May 5 14:27:04 2014
@@ -0,0 +1,138 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-022</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-022.html">S2-022</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="http://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-022</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511500">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511500">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511500">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511500">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-022-Summary">Summary</h2>Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possibility to change internal state of session, request, etc</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Developers should immediately upgrade to <a shape="rect" class="external-link" hre
f="http://struts.apache.org/download.cgi#struts23163">Struts 2.3.16.3</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts 2.3.16.1</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Zubair Ashraf of IBM X-Force</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="line-height: 1.4285715;"><span style="color: rgb(34,34,34);">CVE-2014-0116</span> - </span><span style="line-height: 1.4285715;">Struts' internals manipulation via CookieInterceptor</span></p></td></tr></tbody></table></div><h2 id="S2-022-Problem">Problem</h2><p>The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases and because of that attacker can c
hange state of session, request and so on (when "*" is used to configure <code>cookiesName</code> param).</p><h2 id="S2-022-Solution">Solution</h2><p>In Struts 2.3.16.3 the same exclude patterns were used in CookieInterceptor which are available in ParametersInterceptor. If you don't use CookieInterceptor you are safe.</p><h2 id="S2-022-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-022-Workaround">Workaround</h2><h2 id="S2-022-Ifyoucannotupgradetoversion2.3.16.3immediately-whichisstronglyadvised-don'tusewildcardmappingtoacceptcookienamesorimplementyourownversionofCookieInterceptorbasedoncodeprovidedinStruts2.3.16.3."><span style="font-size: 14.0px;line-height: 1.4285715;">If you cannot upgrade to version 2.3.16.3 immediately - <strong>which is strongly advised -</strong></span><span style="font-size: 14.0px;line-height: 1.4285715;"> don't use wildcard mapping to accept cookie names or implement
your own version of CookieInterceptor based on code provided in Struts 2.3.16.3.</span></h2><p><span style="font-size: 14.0px;line-height: 1.4285715;"><br clear="none"></span></p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file
Modified: websites/production/struts/content/release/2.3.x/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/security-bulletins.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/security-bulletins.html Mon May 5 14:27:04 2014
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <url> and <a> tags</a></url></span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" href="s2
-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li><li><a
shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="smalltext
">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <url> and <a> tags</a></url></span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" href="s2
-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li><li><a
shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="smalltext
">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieIntercept
or to avoid manipulation of Struts' internals</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -200,6 +200,9 @@ under the License.
$page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
+ $page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
</div>
</div>
Modified: websites/production/struts/content/release/2.3.x/docs/security.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/security.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/security.html Mon May 5 14:27:04 2014
@@ -19,7 +19,7 @@ under the License.
-->
<html>
<head>
- <LINK type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
<style type="text/css">
.dp-highlighter {
width:95% !important;
@@ -37,8 +37,8 @@ under the License.
<link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
<link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
<script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
- <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
-
+ <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+
<script type="text/javascript">
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
@@ -134,21 +134,8 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h3 id="Security-Securitytips">Security tips</h3>
-
-<p>The Apache Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p>
-
-<h4 id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4>
-
-<p><a shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a> expose internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use  Basic Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link" href="http://shiro.apache.org/">Apache Shiro</a>)</p>
-
-<h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</h4>
-
-<p>Very often access to different resources is controlled base on URL patterns, see snippet below. Because of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[
- <security-constraint>
+ <div id="ConfluenceContent"><h3 id="Security-Securitytips">Security tips</h3><p>The Apache Struts 2 doesn't provide any security mechanism - it is just a pure web framework. Below are few tips you should consider during application development with the Apache Struts 2.</p><h4 id="Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</h4><p><a shape="rect" href="config-browser-plugin.html">Config Browser Plugin</a> exposes internal configuration and should be used only during development phase. If you must use it on production site, we strictly recommend restricting access to it - you can use  Basic Authentication or any other security mechanism (e.g. <a shape="rect" class="external-link" href="http://shiro.apache.org/">Apache Shiro</a>)</p><h4 id="Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</h4><p>Very often access to different resources is controlled based on URL p
atterns, see snippet below. Because of that you cannot mix actions with different security levels in the same namespace. Always group actions in one namespace by security level.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[ <security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/secure/*</url-pattern>
Modified: websites/production/struts/content/release/2.3.x/docs/version-notes-23162.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/version-notes-23162.html (original)
+++ websites/production/struts/content/release/2.3.x/docs/version-notes-23162.html Mon May 5 14:27:04 2014
@@ -135,7 +135,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.16.2 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-23153.html">Version Notes 2.3.16</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li></ul><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.16.2 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-23161.html">Version Notes 2.3.16.1</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li></ul><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
Added: websites/production/struts/content/release/2.3.x/docs/version-notes-23163.html
==============================================================================
--- websites/production/struts/content/release/2.3.x/docs/version-notes-23163.html (added)
+++ websites/production/struts/content/release/2.3.x/docs/version-notes-23163.html Mon May 5 14:27:04 2014
@@ -0,0 +1,166 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='http://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='http://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='http://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='http://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script src='http://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>Version Notes 2.3.16.3</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="guides.html">Guides</a> > <a href="migration-guide.html">Migration Guide</a> > <a href="version-notes-23163.html">Version Notes 2.3.16.3</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="http://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">Version Notes 2.3.16.3</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511492">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=40511492">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511492">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=40511492">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511492">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=40511492">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.16.3 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-23162.html">Version Notes 2.3.16.2</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li></ul><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.16.3</version>
+</dependency>
+]]></script>
+</div></div><p>You can also use Struts Archetype Catalog like below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Struts Archetype Catalog</b></div><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: bash; gutter: false" type="syntaxhighlighter"><![CDATA[mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
+]]></script>
+</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Staging Repository</b></div><div class="codeContent panelContent pdl">
+<script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[<repositories>
+ <repository>
+ <id>apache.nexus</id>
+ <name>ASF Nexus Staging</name>
+ <url>https://repository.apache.org/content/groups/staging/</url>
+ </repository>
+</repositories>]]></script>
+</div></div><h2 id="VersionNotes2.3.16.3-InternalChanges">Internal Changes</h2><ul><li><span style="color: rgb(34,34,34);"><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Extends excluded params to avoid manipulation of Struts' internals via CookieInterceptor</span></li></ul><h3 id="VersionNotes2.3.16.3-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" href="s2-022.html">Security Bulletin S2-022</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12326821&styleName=Html&projectId=12311041">JIRA Release Notes 2.3.16.3</a></li></ul><h3 id="VersionNotes2.3.16.3-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12325234">Struts 2.3.18 TODO</a></li><li>
<a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399">Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.16.3-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/" rel="nofollow">Commit Logs (Struts 1 and Struts 2)</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=434057563687119f91d5cad8c5d8e352635268ee;hb=e03ff728618f5bf551083fc3a52d43c07434bbc9">Source Code Repository (includes change browsing)</a></li></ul><p> </p></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
\ No newline at end of file