You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Markus Fischer <Ma...@knipp.de> on 2013/10/02 17:22:33 UTC
S2-018, Struts 2.3.15.2: action: prefix for buttons not working after
upgrade to Struts 2.3.15.2
Hi everyone,
I have just upgraded a web application from Struts 2.3.15.1 to Struts
2.3.15.2 (running on Tomcat 7.0.27). Now, for any button using the
"action:" prefix as described in S2-018, the action mapping does not
working anymore. I.e., Backward Compatibility for the "action:" prefix
is not given, at least not in my use case.
Example: Clicking the following button...
> <button type="submit" name="action:createsubmit"
> id="..." value="..." class="...">Create</button>
...yields this 404 report:
> HTTP Status 404 - /my-server/user/createsubmit.action
>
> type: Status report
>
> message: /my-server/user/createsubmit.action
>
> description: The requested resource (/my-server/user/createsubmit.action) is not available.
>
> Apache Tomcat/7.0.27
while with Struts 2.3.15.1 this was working okay. (I'm attaching the
struts.xml section for reference, although it's obvious that that must
be okay since it hasn't unchanged for the update.)
Is there a way to fix this other than to write a custom ActionMapper as
proposed in the Security Bulletin for S2-018 (see link below)?
Any advice muchly appreciated, since I would like to get the securtiy
threat out of the way.
Markus
http://struts.apache.org/release/2.3.x/docs/s2-018.html
struts.xml:
<package name="usermanagement" extends="my-server" namespace="/user"
strict-method-invocation="true">
<action name="createsubmit" method="createsubmit"
class="de.knipp.telnic.nsp.web.action.user.UserAction">
<result name="success" type="freemarker">
/user/create_success.ftl
</result>
<result name="error" type="freemarker">
/user/create.ftl
</result>
<result name="input" type="freemarker">
/user/create.ftl
</result>
<result name="noaccess" type="freemarker">
/user/error.ftl
</result>
</action>
</package> <!-- end of package usermanagement -->
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Markus Fischer <Ma...@knipp.de>.
Hi Greg.
> So the statement about Backwards Compatibility on
> http://struts.apache.org/release/2.3.x/docs/s2-018.html is incorrect?
>
> *Backward Compatibility*
> After upgrading to Struts >= 2.3.15.2, applications using the "action:"
> should still work as expected.
>
> This doesn't appear to be true.
You are right, there is a bug in Struts 2.3.15.2 that breaks the
"action:" functionality. According to Lukasz Lenart, a fix is currently
under review and will hopefully available soon.
Regards,
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Greg Lindholm <gr...@gmail.com>.
So the statement about Backwards Compatibility on
http://struts.apache.org/release/2.3.x/docs/s2-018.html is incorrect?
*Backward Compatibility*
After upgrading to Struts >= 2.3.15.2, applications using the "action:"
should still work as expected.
This doesn't appear to be true.
On Wed, Oct 9, 2013 at 5:10 AM, Markus Fischer <Ma...@knipp.de>wrote:
>
> >> Do you have any idea when the a release fixing the issue can be
> >> available? And is there any chance to get more information about the
> >> specifics of the vulnerability behind S2-018?
> >
> > It should be soon, patch is under review. I cannot share any details
> > now about the vulnerability.
>
> Many thanks, Lukasz.
>
> >> We are currently considering to filter out "action:” elements via URL
> >> rewriting, but without knowing any further details we cannot be sure
> >> that that will prevent the potential exploit.
> >
> > I'm not sure what you mean by "filter out by url rewriting" but maybe
> > you could share your solution here? And it looks like the right
> > direction.
>
> I'll check if that is feasible and post here if I think it can be useful
> for someone else.
>
> Best regards,
> Markus
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Markus Fischer <Ma...@knipp.de>.
>> Do you have any idea when the a release fixing the issue can be
>> available? And is there any chance to get more information about the
>> specifics of the vulnerability behind S2-018?
>
> It should be soon, patch is under review. I cannot share any details
> now about the vulnerability.
Many thanks, Lukasz.
>> We are currently considering to filter out "action:” elements via URL
>> rewriting, but without knowing any further details we cannot be sure
>> that that will prevent the potential exploit.
>
> I'm not sure what you mean by "filter out by url rewriting" but maybe
> you could share your solution here? And it looks like the right
> direction.
I'll check if that is feasible and post here if I think it can be useful
for someone else.
Best regards,
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Lukasz Lenart <lu...@apache.org>.
2013/10/9 Markus Fischer <Ma...@knipp.de>:
> Hi Lukasz,
>
>> There is no other way - you must wait for new release (hope soon) or
>> write custom action mapper.
>
> many thanks for your fast reply and your continuing efforts in
> supporting the Struts community.
>
> Do you have any idea when the a release fixing the issue can be
> available? And is there any chance to get more information about the
> specifics of the vulnerability behind S2-018?
It should be soon, patch is under review. I cannot share any details
now about the vulnerability.
> We are currently considering to filter out "action:” elements via URL
> rewriting, but without knowing any further details we cannot be sure
> that that will prevent the potential exploit.
I'm not sure what you mean by "filter out by url rewriting" but maybe
you could share your solution here? And it looks like the right
direction.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Markus Fischer <Ma...@knipp.de>.
Hi Lukasz,
> There is no other way - you must wait for new release (hope soon) or
> write custom action mapper.
many thanks for your fast reply and your continuing efforts in
supporting the Struts community.
Do you have any idea when the a release fixing the issue can be
available? And is there any chance to get more information about the
specifics of the vulnerability behind S2-018?
We are currently considering to filter out "action:” elements via URL
rewriting, but without knowing any further details we cannot be sure
that that will prevent the potential exploit.
Thanks,
Markus
[1] S2-018: http://struts.apache.org/release/2.3.x/docs/s2-018.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: S2-018, Struts 2.3.15.2: action: prefix for buttons not working
after upgrade to Struts 2.3.15.2
Posted by Lukasz Lenart <lu...@apache.org>.
There is no other way - you must wait for new release (hope soon) or
write custom action mapper.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/10/2 Markus Fischer <Ma...@knipp.de>:
> Hi everyone,
>
> I have just upgraded a web application from Struts 2.3.15.1 to Struts
> 2.3.15.2 (running on Tomcat 7.0.27). Now, for any button using the
> "action:" prefix as described in S2-018, the action mapping does not
> working anymore. I.e., Backward Compatibility for the "action:" prefix
> is not given, at least not in my use case.
>
> Example: Clicking the following button...
>
>> <button type="submit" name="action:createsubmit"
>> id="..." value="..." class="...">Create</button>
>
> ...yields this 404 report:
>> HTTP Status 404 - /my-server/user/createsubmit.action
>>
>> type: Status report
>>
>> message: /my-server/user/createsubmit.action
>>
>> description: The requested resource (/my-server/user/createsubmit.action) is not available.
>>
>> Apache Tomcat/7.0.27
>
> while with Struts 2.3.15.1 this was working okay. (I'm attaching the
> struts.xml section for reference, although it's obvious that that must
> be okay since it hasn't unchanged for the update.)
>
> Is there a way to fix this other than to write a custom ActionMapper as
> proposed in the Security Bulletin for S2-018 (see link below)?
>
> Any advice muchly appreciated, since I would like to get the securtiy
> threat out of the way.
>
> Markus
>
> http://struts.apache.org/release/2.3.x/docs/s2-018.html
>
>
> struts.xml:
> <package name="usermanagement" extends="my-server" namespace="/user"
> strict-method-invocation="true">
>
> <action name="createsubmit" method="createsubmit"
> class="de.knipp.telnic.nsp.web.action.user.UserAction">
> <result name="success" type="freemarker">
> /user/create_success.ftl
> </result>
> <result name="error" type="freemarker">
> /user/create.ftl
> </result>
> <result name="input" type="freemarker">
> /user/create.ftl
> </result>
> <result name="noaccess" type="freemarker">
> /user/error.ftl
> </result>
> </action>
> </package> <!-- end of package usermanagement -->
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org