You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/20 07:05:16 UTC
[01/13] struts-extras git commit: Ignores OSX's related hidden files
Repository: struts-extras
Updated Branches:
refs/heads/master ba188e22e -> 8b29f9053
Ignores OSX's related hidden files
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/4d4b880e
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/4d4b880e
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/4d4b880e
Branch: refs/heads/master
Commit: 4d4b880e23509486735995c8387673771c3f5ccb
Parents: ba188e2
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 09:45:21 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 09:45:21 2017 +0100
----------------------------------------------------------------------
.gitignore | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/4d4b880e/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index cfd4cea..9d56b9a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
.idea
*.iml
target
-.java-version
\ No newline at end of file
+.java-version
+.DS_Store
[13/13] struts-extras git commit: [maven-release-plugin] rollback the
release of struts2-secure-jakarta-multipart-parser-plugin-1.0
Posted by lu...@apache.org.
[maven-release-plugin] rollback the release of struts2-secure-jakarta-multipart-parser-plugin-1.0
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/8b29f905
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/8b29f905
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/8b29f905
Branch: refs/heads/master
Commit: 8b29f9053f5be916c2c9e1eb9164de791fd0cb61
Parents: f6ee070
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 08:04:50 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 08:04:50 2017 +0100
----------------------------------------------------------------------
struts2-secure-jakarta-multipart-parser-plugin/pom.xml | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/8b29f905/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
index ca97492..e73996a 100644
--- a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
+++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
@@ -17,7 +17,8 @@
specific language governing permissions and limitations
under the License.
-->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>org.apache.struts</groupId>
@@ -28,7 +29,7 @@
<modelVersion>4.0.0</modelVersion>
<artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
- <version>1.0</version>
+ <version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name>
@@ -64,8 +65,4 @@
</plugins>
</build>
-
- <scm>
- <tag>struts2-secure-jakarta-multipart-parser-plugin-1.0</tag>
- </scm>
</project>
[05/13] struts-extras git commit: Creates a plugin to allow mitigate
vulnerability with S2-045 in older versions of Struts when using
jakarta-stream Multipart parser
Posted by lu...@apache.org.
Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts when using jakarta-stream Multipart parser
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/1cd42a60
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/1cd42a60
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/1cd42a60
Branch: refs/heads/master
Commit: 1cd42a6080dac524bd572e79f0c89b018b0c01a8
Parents: bd18c11
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:54:34 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:54:34 2017 +0100
----------------------------------------------------------------------
.../pom.xml | 75 +++
.../SecureJakartaStreamMultiPartRequest.java | 617 +++++++++++++++++++
.../src/main/resources/struts-plugin.xml | 33 +
3 files changed, 725 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1cd42a60/struts2-secure-jakarta-stream-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-stream-multipart-parser-plugin/pom.xml
new file mode 100644
index 0000000..f9fcada
--- /dev/null
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/pom.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+ <parent>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts-master</artifactId>
+ <version>10</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>struts2-secure-jakarta-stream-multipart-parser-plugin</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ <packaging>jar</packaging>
+ <name>Struts 2.3.20 - 2.5.5 secure Jakarta stream Multipart parser plugin</name>
+
+ <description>
+ This plugin allows to fix a vulnerability S2-045 without a need to migrate to the latest Struts versions
+ </description>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.20</version>
+ <optional>true</optional>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.4</version>
+ <scope>provided</scope>
+ </dependency>
+
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1cd42a60/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
new file mode 100644
index 0000000..3acc55d
--- /dev/null
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
@@ -0,0 +1,617 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts.extras;
+
+import com.opensymphony.xwork2.LocaleProvider;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.LocalizedTextUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.commons.fileupload.FileItemIterator;
+import org.apache.commons.fileupload.FileItemStream;
+import org.apache.commons.fileupload.FileUploadBase;
+import org.apache.commons.fileupload.servlet.ServletFileUpload;
+import org.apache.commons.fileupload.util.Streams;
+import org.apache.struts2.StrutsConstants;
+import org.apache.struts2.dispatcher.multipart.MultiPartRequest;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+public class SecureJakartaStreamMultiPartRequest implements MultiPartRequest {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SecureJakartaStreamMultiPartRequest.class);
+
+ /**
+ * Defines the internal buffer size used during streaming operations.
+ */
+ private static final int BUFFER_SIZE = 10240;
+
+ /**
+ * Map between file fields and file data.
+ */
+ private Map<String, List<FileInfo>> fileInfos = new HashMap<String, List<FileInfo>>();
+
+ /**
+ * Map between non-file fields and values.
+ */
+ private Map<String, List<String>> parameters = new HashMap<String, List<String>>();
+
+ /**
+ * Internal list of raised errors to be passed to the the Struts2 framework.
+ */
+ private List<String> errors = new ArrayList<String>();
+
+ /**
+ * Internal list of non-critical messages to be passed to the Struts2 framework.
+ */
+ private List<String> messages = new ArrayList<String>();
+
+ /**
+ * Specifies the maximum size of the entire request.
+ */
+ private Long maxSize;
+
+ /**
+ * Specifies the buffer size to use during streaming.
+ */
+ private int bufferSize = BUFFER_SIZE;
+
+ /**
+ * Localization to be used regarding errors.
+ */
+ private Locale defaultLocale = Locale.ENGLISH;
+
+ /**
+ * Injects the Struts multiple part maximum size.
+ *
+ * @param maxSize
+ */
+ @Inject(StrutsConstants.STRUTS_MULTIPART_MAXSIZE)
+ public void setMaxSize(String maxSize) {
+ this.maxSize = Long.parseLong(maxSize);
+ }
+
+ /**
+ * Sets the buffer size to be used.
+ *
+ * @param bufferSize
+ */
+ @Inject(value = StrutsConstants.STRUTS_MULTIPART_BUFFERSIZE, required = false)
+ public void setBufferSize(String bufferSize) {
+ this.bufferSize = Integer.parseInt(bufferSize);
+ }
+
+ /**
+ * Injects the Struts locale provider.
+ *
+ * @param provider
+ */
+ @Inject
+ public void setLocaleProvider(LocaleProvider provider) {
+ defaultLocale = provider.getLocale();
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#cleanUp()
+ */
+ public void cleanUp() {
+ LOG.debug("Performing File Upload temporary storage cleanup.");
+ for (String fieldName : fileInfos.keySet()) {
+ for (FileInfo fileInfo : fileInfos.get(fieldName)) {
+ File file = fileInfo.getFile();
+ LOG.debug("Deleting file '#0'.", file.getName());
+ if (!file.delete())
+ LOG.warn("There was a problem attempting to delete file '#0'.", file.getName());
+ }
+ }
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getContentType(java.lang.String)
+ */
+ public String[] getContentType(String fieldName) {
+ List<FileInfo> infos = fileInfos.get(fieldName);
+ if (infos == null)
+ return null;
+
+ List<String> types = new ArrayList<String>(infos.size());
+ for (FileInfo fileInfo : infos)
+ types.add(fileInfo.getContentType());
+
+ return types.toArray(new String[types.size()]);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getErrors()
+ */
+ public List<String> getErrors() {
+ return errors;
+ }
+
+ /**
+ * Allows interceptor to fetch non-critical messages that can be passed to the action.
+ *
+ * @return
+ */
+ public List<String> getMesssages() {
+ return messages;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFile(java.lang.String)
+ */
+ public File[] getFile(String fieldName) {
+ List<FileInfo> infos = fileInfos.get(fieldName);
+ if (infos == null)
+ return null;
+
+ List<File> files = new ArrayList<File>(infos.size());
+ for (FileInfo fileInfo : infos)
+ files.add(fileInfo.getFile());
+
+ return files.toArray(new File[files.size()]);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileNames(java.lang.String)
+ */
+ public String[] getFileNames(String fieldName) {
+ List<FileInfo> infos = fileInfos.get(fieldName);
+ if (infos == null)
+ return null;
+
+ List<String> names = new ArrayList<String>(infos.size());
+ for (FileInfo fileInfo : infos)
+ names.add(getCanonicalName(fileInfo.getOriginalName()));
+
+ return names.toArray(new String[names.size()]);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileParameterNames()
+ */
+ public Enumeration<String> getFileParameterNames() {
+ return Collections.enumeration(fileInfos.keySet());
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFilesystemName(java.lang.String)
+ */
+ public String[] getFilesystemName(String fieldName) {
+ List<FileInfo> infos = fileInfos.get(fieldName);
+ if (infos == null)
+ return null;
+
+ List<String> names = new ArrayList<String>(infos.size());
+ for (FileInfo fileInfo : infos)
+ names.add(fileInfo.getFile().getName());
+
+ return names.toArray(new String[names.size()]);
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameter(java.lang.String)
+ */
+ public String getParameter(String name) {
+ List<String> values = parameters.get(name);
+ if (values != null && values.size() > 0)
+ return values.get(0);
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterNames()
+ */
+ public Enumeration<String> getParameterNames() {
+ return Collections.enumeration(parameters.keySet());
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterValues(java.lang.String)
+ */
+ public String[] getParameterValues(String name) {
+ List<String> values = parameters.get(name);
+ if (values != null && values.size() > 0)
+ return values.toArray(new String[values.size()]);
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#parse(javax.servlet.http.HttpServletRequest, java.lang.String)
+ */
+ public void parse(HttpServletRequest request, String saveDir)
+ throws IOException {
+ try {
+ setLocale(request);
+ processUpload(request, saveDir);
+ } catch (Exception e) {
+ e.printStackTrace();
+ String errorMessage = buildErrorMessage(e, new Object[]{});
+ if (!errors.contains(errorMessage))
+ errors.add(errorMessage);
+ }
+ }
+
+ /**
+ * Inspect the servlet request and set the locale if one wasn't provided by
+ * the Struts2 framework.
+ *
+ * @param request
+ */
+ protected void setLocale(HttpServletRequest request) {
+ if (defaultLocale == null)
+ defaultLocale = request.getLocale();
+ }
+
+ /**
+ * Processes the upload.
+ *
+ * @param request
+ * @param saveDir
+ * @throws Exception
+ */
+ private void processUpload(HttpServletRequest request, String saveDir)
+ throws Exception {
+
+ // Sanity check that the request is a multi-part/form-data request.
+ if (ServletFileUpload.isMultipartContent(request)) {
+
+ // Sanity check on request size.
+ boolean requestSizePermitted = isRequestSizePermitted(request);
+
+ // Interface with Commons FileUpload API
+ // Using the Streaming API
+ ServletFileUpload servletFileUpload = new ServletFileUpload();
+ FileItemIterator i = servletFileUpload.getItemIterator(request);
+
+ // Iterate the file items
+ while (i.hasNext()) {
+ try {
+ FileItemStream itemStream = i.next();
+
+ // If the file item stream is a form field, delegate to the
+ // field item stream handler
+ if (itemStream.isFormField()) {
+ processFileItemStreamAsFormField(itemStream);
+ }
+
+ // Delegate the file item stream for a file field to the
+ // file item stream handler, but delegation is skipped
+ // if the requestSizePermitted check failed based on the
+ // complete content-size of the request.
+ else {
+
+ // prevent processing file field item if request size not allowed.
+ // also warn user in the logs.
+ if (!requestSizePermitted) {
+ addFileSkippedError(itemStream.getName(), request);
+ LOG.warn("Skipped stream '#0', request maximum size (#1) exceeded.", itemStream.getName(), maxSize);
+ continue;
+ }
+
+ processFileItemStreamAsFileField(itemStream, saveDir);
+ }
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ }
+
+ /**
+ * Defines whether the request allowed based on content length.
+ *
+ * @param request
+ * @return
+ */
+ private boolean isRequestSizePermitted(HttpServletRequest request) {
+ // if maxSize is specified as -1, there is no sanity check and it's
+ // safe to return true for any request, delegating the failure
+ // checks later in the upload process.
+ if (maxSize == -1 || request == null)
+ return true;
+
+ return request.getContentLength() < maxSize;
+ }
+
+ /**
+ * Get the request content length.
+ *
+ * @param request
+ * @return
+ */
+ private long getRequestSize(HttpServletRequest request) {
+ long requestSize = 0;
+ if (request != null)
+ requestSize = request.getContentLength();
+ return requestSize;
+ }
+
+ /**
+ * Add a file skipped message notification for action messages.
+ *
+ * @param fileName
+ * @param request
+ */
+ private void addFileSkippedError(String fileName, HttpServletRequest request) {
+ String exceptionMessage = "Skipped file " + fileName + "; request size limit exceeded.";
+ FileUploadBase.FileSizeLimitExceededException exception = new FileUploadBase.FileSizeLimitExceededException(exceptionMessage, getRequestSize(request), maxSize);
+ String message = buildMessage(exception, new Object[]{fileName, getRequestSize(request), maxSize});
+ if (!errors.contains(message))
+ errors.add(message);
+ }
+
+ /**
+ * Processes the FileItemStream as a Form Field.
+ *
+ * @param itemStream
+ */
+ private void processFileItemStreamAsFormField(FileItemStream itemStream) {
+ String fieldName = itemStream.getFieldName();
+ try {
+ List<String> values = null;
+ String fieldValue = Streams.asString(itemStream.openStream());
+ if (!parameters.containsKey(fieldName)) {
+ values = new ArrayList<String>();
+ parameters.put(fieldName, values);
+ } else {
+ values = parameters.get(fieldName);
+ }
+ values.add(fieldValue);
+ } catch (IOException e) {
+ e.printStackTrace();
+ LOG.warn("Failed to handle form field '#0'.", fieldName);
+ }
+ }
+
+ /**
+ * Processes the FileItemStream as a file field.
+ *
+ * @param itemStream
+ * @param location
+ */
+ private void processFileItemStreamAsFileField(FileItemStream itemStream, String location) {
+ File file = null;
+ try {
+ // Create the temporary upload file.
+ file = createTemporaryFile(itemStream.getName(), location);
+
+ if (streamFileToDisk(itemStream, file))
+ createFileInfoFromItemStream(itemStream, file);
+ } catch (IOException e) {
+ if (file != null) {
+ try {
+ file.delete();
+ } catch (SecurityException se) {
+ se.printStackTrace();
+ LOG.warn("Failed to delete '#0' due to security exception above.", file.getName());
+ }
+ }
+ }
+ }
+
+ /**
+ * Creates a temporary file based on the given filename and location.
+ *
+ * @param fileName
+ * @param location
+ * @return
+ * @throws IOException
+ */
+ private File createTemporaryFile(String fileName, String location)
+ throws IOException {
+ String name = fileName
+ .substring(fileName.lastIndexOf('/') + 1)
+ .substring(fileName.lastIndexOf('\\') + 1);
+
+ String prefix = name;
+ String suffix = "";
+
+ if (name.contains(".")) {
+ prefix = name.substring(0, name.lastIndexOf('.'));
+ suffix = name.substring(name.lastIndexOf('.'));
+ }
+
+ File file = File.createTempFile(prefix + "_", suffix, new File(location));
+ LOG.debug("Creating temporary file '#0' (originally '#1').", file.getName(), fileName);
+ return file;
+ }
+
+ /**
+ * Streams the file upload stream to the specified file.
+ *
+ * @param itemStream
+ * @param file
+ * @return
+ * @throws IOException
+ */
+ private boolean streamFileToDisk(FileItemStream itemStream, File file) throws IOException {
+ boolean result = false;
+ InputStream input = itemStream.openStream();
+ OutputStream output = null;
+ try {
+ output = new BufferedOutputStream(new FileOutputStream(file), bufferSize);
+ byte[] buffer = new byte[bufferSize];
+ LOG.debug("Streaming file using buffer size #0.", bufferSize);
+ for (int length = 0; ((length = input.read(buffer)) > 0); )
+ output.write(buffer, 0, length);
+ result = true;
+ } finally {
+ if (output != null) {
+ try {
+ output.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ if (input != null) {
+ try {
+ input.close();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ return result;
+ }
+
+ /**
+ * Creates an internal <code>FileInfo</code> structure used to pass information
+ * to the <code>FileUploadInterceptor</code> during the interceptor stack
+ * invocation process.
+ *
+ * @param itemStream
+ * @param file
+ */
+ private void createFileInfoFromItemStream(FileItemStream itemStream, File file) {
+ // gather attributes from file upload stream.
+ String fileName = itemStream.getName();
+ String fieldName = itemStream.getFieldName();
+ // create internal structure
+ FileInfo fileInfo = new FileInfo(file, itemStream.getContentType(), fileName);
+ // append or create new entry.
+ if (!fileInfos.containsKey(fieldName)) {
+ List<FileInfo> infos = new ArrayList<FileInfo>();
+ infos.add(fileInfo);
+ fileInfos.put(fieldName, infos);
+ } else {
+ fileInfos.get(fieldName).add(fileInfo);
+ }
+ }
+
+ /**
+ * Get the canonical name based on the supplied filename.
+ *
+ * @param fileName
+ * @return
+ */
+ private String getCanonicalName(String fileName) {
+ int forwardSlash = fileName.lastIndexOf("/");
+ int backwardSlash = fileName.lastIndexOf("\\");
+ if (forwardSlash != -1 && forwardSlash > backwardSlash) {
+ fileName = fileName.substring(forwardSlash + 1, fileName.length());
+ } else {
+ fileName = fileName.substring(backwardSlash + 1, fileName.length());
+ }
+ return fileName;
+ }
+
+ /**
+ * Build error message.
+ *
+ * @param e
+ * @param args
+ * @return
+ */
+ private String buildErrorMessage(Throwable e, Object[] args) {
+ String errorKey = "struts.message.upload.error." + e.getClass().getSimpleName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Preparing error message for key: [#0]", errorKey);
+ }
+
+ if (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, new Object[0]) == null) {
+ return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[]{e.getMessage()});
+ } else {
+ return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, args);
+ }
+ }
+
+ /**
+ * Build action message.
+ *
+ * @param e
+ * @param args
+ * @return
+ */
+ private String buildMessage(Throwable e, Object[] args) {
+ String messageKey = "struts.message.upload.message." + e.getClass().getSimpleName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Preparing message for key: [#0]", messageKey);
+ }
+
+ if (LocalizedTextUtil.findText(this.getClass(), messageKey, defaultLocale, null, new Object[0]) == null) {
+ return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[]{e.getMessage()});
+ } else {
+ return LocalizedTextUtil.findText(this.getClass(), messageKey, defaultLocale, null, args);
+ }
+ }
+
+ /**
+ * Internal data structure used to store a reference to information needed
+ * to later pass post processing data to the <code>FileUploadInterceptor</code>.
+ *
+ * @version $Revision$
+ * @since 7.0.0
+ */
+ private static class FileInfo implements Serializable {
+
+ private File file;
+ private String contentType;
+ private String originalName;
+
+ /**
+ * Default constructor.
+ *
+ * @param file
+ * @param contentType
+ * @param originalName
+ */
+ public FileInfo(File file, String contentType, String originalName) {
+ this.file = file;
+ this.contentType = contentType;
+ this.originalName = originalName;
+ }
+
+ /**
+ * @return
+ */
+ public File getFile() {
+ return file;
+ }
+
+ /**
+ * @return
+ */
+ public String getContentType() {
+ return contentType;
+ }
+
+ /**
+ * @return
+ */
+ public String getOriginalName() {
+ return originalName;
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1cd42a60/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/resources/struts-plugin.xml
new file mode 100644
index 0000000..de48c95
--- /dev/null
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/resources/struts-plugin.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE struts PUBLIC
+ "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+ "http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+
+ <bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest"
+ class="org.apache.struts.extras.SecureJakartaStreamMultiPartRequest"
+ name="secure-jakarta-stream"
+ scope="prototype"/>
+
+ <constant name="struts.multipart.parser" value="secure-jakarta-stream"/>
+
+</struts>
[06/13] struts-extras git commit: Adds more detailed readme with
explanation how to use the plugin
Posted by lu...@apache.org.
Adds more detailed readme with explanation how to use the plugin
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/29f42319
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/29f42319
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/29f42319
Branch: refs/heads/master
Commit: 29f423199d19f52aad8f4241a34eae418fff6667
Parents: 1cd42a6
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:54:58 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:54:58 2017 +0100
----------------------------------------------------------------------
.../README.md | 30 ++++++++++++++++++++
1 file changed, 30 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/29f42319/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
new file mode 100644
index 0000000..c37e0a8
--- /dev/null
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
@@ -0,0 +1,30 @@
+# Apache Struts 2 Extras - Secure Jakarta Stream Multipart parser plugin
+
+This plugin provides a safe implementation of the Jakarta Stream Multipart parser from the Struts Core. It can be used
+to mitigate vulnerability described in the [S2-045](http://struts.apache.org/docs/s2-045.html) Security Bulletin.
+
+You should use this plugin in case you are not able to migrated to the latest Struts version.
+
+## Supported versions
+
+This plugins can be used with the Apache Struts versions 2.5.20 till 2.5.5, if you are running the Apache Struts 2.5.8+
+you must migrate to the latest version which is [Struts 2.5.10.1](http://struts.apache.org/announce.html#a20170307).
+
+## How to use it
+
+Just drop the jar into `WEB-INF/libs` folder and restart your application, you can use on of the existing PoCs
+to test if everything is ok.
+
+If you are using Maven to build your project, please add the following dependency into your pom:
+
+```xml
+<dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+ <version>[VERSION]</version>
+</dependency>
+```
+
+## Remarks
+
+Please be aware that this is just a temporary solution, you should consider migration to the latest version anyway.
[11/13] struts-extras git commit: Updates example Maven dependency
with proper artifactId
Posted by lu...@apache.org.
Updates example Maven dependency with proper artifactId
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/b16db50e
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/b16db50e
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/b16db50e
Branch: refs/heads/master
Commit: b16db50ea786435d05ad0f161c2ca64f01b3dfc3
Parents: 9eafdc5
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 07:43:22 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 07:43:22 2017 +0100
----------------------------------------------------------------------
struts2-secure-jakarta-stream-multipart-parser-plugin/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/b16db50e/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
index 0f27ce5..2e28f60 100644
--- a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
@@ -23,7 +23,7 @@ If you are using Maven to build your project, please add the following dependenc
```xml
<dependency>
<groupId>org.apache.struts</groupId>
- <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+ <artifactId>struts2-secure-jakarta--stream-multipart-parser-plugin</artifactId>
<version>[VERSION]</version>
</dependency>
```
[03/13] struts-extras git commit: Creates a plugin to allow mitigate
vulnerability with S2-045 in older versions of Struts
Posted by lu...@apache.org.
Creates a plugin to allow mitigate vulnerability with S2-045 in older versions of Struts
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/1aa4a9c9
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/1aa4a9c9
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/1aa4a9c9
Branch: refs/heads/master
Commit: 1aa4a9c92933c5e57ffb8001bf97f7bb6d848daa
Parents: 666d5da
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:53:18 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:53:18 2017 +0100
----------------------------------------------------------------------
.../pom.xml | 68 ++++++++++++++++++++
.../extras/SecureJakartaMultipartParser.java | 59 +++++++++++++++++
.../src/main/resources/struts-plugin.xml | 33 ++++++++++
3 files changed, 160 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
new file mode 100644
index 0000000..e73996a
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+ <parent>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts-master</artifactId>
+ <version>10</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ <packaging>jar</packaging>
+ <name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name>
+
+ <description>
+ This plugin allows to fix a vulnerability S2-045 without a need to migrate to the latest Struts versions
+ </description>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.8</version>
+ <optional>true</optional>
+ </dependency>
+
+ </dependencies>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
new file mode 100644
index 0000000..acd6b4d
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts.extras;
+
+import com.opensymphony.xwork2.LocaleProvider;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.LocalizedTextUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest;
+
+import java.util.Locale;
+
+public class SecureJakartaMultipartParser extends JakartaMultiPartRequest {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SecureJakartaMultipartParser.class);
+
+ private Locale defaultLocale;
+
+ public SecureJakartaMultipartParser() {
+ LOG.info("This is a secure implementation of the Struts Jakarta Multipart parser, " +
+ "this implementation is safe against vulnerability described in the S2-045 Security Bulletin.");
+ }
+
+ @Inject
+ public void setLocaleProvider(LocaleProvider provider) {
+ defaultLocale = provider.getLocale();
+ }
+
+ protected String buildErrorMessage(Throwable e, Object[] args) {
+ String errorKey = "struts.messages.upload.error." + e.getClass().getSimpleName();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Preparing error message for key: [#0]", errorKey);
+ }
+
+ if (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, new Object[0]) == null) {
+ return LocalizedTextUtil.findText(this.getClass(), "struts.messages.error.uploading", defaultLocale, null, new Object[] { e.getMessage() });
+ } else {
+ return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null, args);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/1aa4a9c9/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
new file mode 100644
index 0000000..ce13e08
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<!DOCTYPE struts PUBLIC
+ "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+ "http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+
+ <bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest"
+ class="org.apache.struts.extras.SecureJakartaMultipartParser"
+ name="secure-jakarta"
+ scope="prototype"/>
+
+ <constant name="struts.multipart.parser" value="secure-jakarta"/>
+
+</struts>
[07/13] struts-extras git commit: Adds badges with license and
current version in the Maven Central
Posted by lu...@apache.org.
Adds badges with license and current version in the Maven Central
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/4954222d
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/4954222d
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/4954222d
Branch: refs/heads/master
Commit: 4954222d6b6d5d1c134e695bd26e5e3a401b97e5
Parents: 29f4231
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:59:12 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:59:12 2017 +0100
----------------------------------------------------------------------
README.md | 2 ++
struts2-secure-jakarta-multipart-parser-plugin/README.md | 3 +++
struts2-secure-jakarta-stream-multipart-parser-plugin/README.md | 3 +++
3 files changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/4954222d/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index 93c1da3..0bd5922 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
# The Apache Struts Extras
+[](http://www.apache.org/licenses/LICENSE-2.0.html)
+
This a subproject of the [Apache Struts](http://struts.apache.org/) project which provides different plugins,
mostly focused on fixing (if possibe) vulnerabilities in older versions of the framework.
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/4954222d/struts2-secure-jakarta-multipart-parser-plugin/README.md
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/README.md b/struts2-secure-jakarta-multipart-parser-plugin/README.md
index acaeb80..c8ca76a 100644
--- a/struts2-secure-jakarta-multipart-parser-plugin/README.md
+++ b/struts2-secure-jakarta-multipart-parser-plugin/README.md
@@ -1,5 +1,8 @@
# Apache Struts 2 Extras - secure Jakarta Multipart parser plugin
+[](https://maven-badges.herokuapp.com/maven-central/org.apache.struts/struts2-secure-jakarta-multipart-parser-plugin/)
+[](http://www.apache.org/licenses/LICENSE-2.0.html)
+
This plugin provides a safe implementation of the Jakarta Multipart parser from the Struts Core. It can be used
to mitigate vulnerability described in the [S2-045](http://struts.apache.org/docs/s2-045.html) Security Bulletin.
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/4954222d/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
index c37e0a8..0f27ce5 100644
--- a/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/README.md
@@ -1,5 +1,8 @@
# Apache Struts 2 Extras - Secure Jakarta Stream Multipart parser plugin
+[](https://maven-badges.herokuapp.com/maven-central/org.apache.struts/struts2-secure-jakarta-stream-multipart-parser-plugin/)
+[](http://www.apache.org/licenses/LICENSE-2.0.html)
+
This plugin provides a safe implementation of the Jakarta Stream Multipart parser from the Struts Core. It can be used
to mitigate vulnerability described in the [S2-045](http://struts.apache.org/docs/s2-045.html) Security Bulletin.
[10/13] struts-extras git commit: Adds constructor with proper log
information about resolves vulnerabilities
Posted by lu...@apache.org.
Adds constructor with proper log information about resolves vulnerabilities
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/9eafdc5f
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/9eafdc5f
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/9eafdc5f
Branch: refs/heads/master
Commit: 9eafdc5fd6810d8b2387c0b9c0cf42d0ca735d0f
Parents: ef4bd11
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 07:42:15 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 07:42:15 2017 +0100
----------------------------------------------------------------------
.../struts/extras/SecureJakartaStreamMultiPartRequest.java | 5 +++++
1 file changed, 5 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/9eafdc5f/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
index 3acc55d..cbc06f9 100644
--- a/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
+++ b/struts2-secure-jakarta-stream-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaStreamMultiPartRequest.java
@@ -91,6 +91,11 @@ public class SecureJakartaStreamMultiPartRequest implements MultiPartRequest {
*/
private Locale defaultLocale = Locale.ENGLISH;
+ public SecureJakartaStreamMultiPartRequest() {
+ LOG.info("This is a secure implementation of the Struts Jakarta Stream Multipart parser, " +
+ "this implementation is safe against vulnerability described in the S2-045/S2-046 Security Bulletins.");
+ }
+
/**
* Injects the Struts multiple part maximum size.
*
[08/13] struts-extras git commit: Defines constant to support Struts
2.3.8
Posted by lu...@apache.org.
Defines constant to support Struts 2.3.8
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/b8182e35
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/b8182e35
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/b8182e35
Branch: refs/heads/master
Commit: b8182e35efa59e4da781ed44f8bc4766e7a13311
Parents: 4954222
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 07:38:45 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 07:38:45 2017 +0100
----------------------------------------------------------------------
.../src/main/resources/struts-plugin.xml | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/b8182e35/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
index ce13e08..9fffba2 100644
--- a/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/resources/struts-plugin.xml
@@ -28,6 +28,9 @@
name="secure-jakarta"
scope="prototype"/>
+ <!-- Struts 2.3.12+ -->
<constant name="struts.multipart.parser" value="secure-jakarta"/>
+ <!-- Struts 2.3.8 -->
+ <constant name="struts.multipart.handler" value="secure-jakarta"/>
</struts>
[02/13] struts-extras git commit: Adds basic readme describing the
project's purpose
Posted by lu...@apache.org.
Adds basic readme describing the project's purpose
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/666d5da4
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/666d5da4
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/666d5da4
Branch: refs/heads/master
Commit: 666d5da4d5480d8f75f94bd0d433bfdf8b44c5cd
Parents: 4d4b880
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:52:06 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:52:06 2017 +0100
----------------------------------------------------------------------
README.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/666d5da4/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..93c1da3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,13 @@
+# The Apache Struts Extras
+
+This a subproject of the [Apache Struts](http://struts.apache.org/) project which provides different plugins,
+mostly focused on fixing (if possibe) vulnerabilities in older versions of the framework.
+
+## List of plugins
+
+- [Apache Struts 2 Secure Jakarta Multipart parser plugin](struts2-secure-jakarta-multipart-parser-plugin/README.md)
+- [Apache Struts 2 Secure Jakarta Stream Multipart parser plugin](struts2-secure-jakarta-stream-multipart-parser-plugin/README.md)
+
+## License
+
+Release under Apache License 2.0
[12/13] struts-extras git commit: [maven-release-plugin] prepare
release struts2-secure-jakarta-multipart-parser-plugin-1.0
Posted by lu...@apache.org.
[maven-release-plugin] prepare release struts2-secure-jakarta-multipart-parser-plugin-1.0
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/f6ee0705
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/f6ee0705
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/f6ee0705
Branch: refs/heads/master
Commit: f6ee07056484054be7d16f79e87c0ca47f422f8e
Parents: b16db50
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 08:03:26 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 08:03:26 2017 +0100
----------------------------------------------------------------------
struts2-secure-jakarta-multipart-parser-plugin/pom.xml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/f6ee0705/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
index e73996a..ca97492 100644
--- a/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
+++ b/struts2-secure-jakarta-multipart-parser-plugin/pom.xml
@@ -17,8 +17,7 @@
specific language governing permissions and limitations
under the License.
-->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<groupId>org.apache.struts</groupId>
@@ -29,7 +28,7 @@
<modelVersion>4.0.0</modelVersion>
<artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
- <version>1.0-SNAPSHOT</version>
+ <version>1.0</version>
<packaging>jar</packaging>
<name>Struts 2.3.8 - 2.5.5 secure Jakarta Multipart parser plugin</name>
@@ -65,4 +64,8 @@
</plugins>
</build>
+
+ <scm>
+ <tag>struts2-secure-jakarta-multipart-parser-plugin-1.0</tag>
+ </scm>
</project>
[04/13] struts-extras git commit: Adds readme with more detailed
explanation how to use the plugin
Posted by lu...@apache.org.
Adds readme with more detailed explanation how to use the plugin
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/bd18c11e
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/bd18c11e
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/bd18c11e
Branch: refs/heads/master
Commit: bd18c11e3082b2947abbb1583fd73d87589ae2f6
Parents: 1aa4a9c
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Sat Mar 18 14:53:42 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Sat Mar 18 14:53:42 2017 +0100
----------------------------------------------------------------------
.../README.md | 30 ++++++++++++++++++++
1 file changed, 30 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/bd18c11e/struts2-secure-jakarta-multipart-parser-plugin/README.md
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/README.md b/struts2-secure-jakarta-multipart-parser-plugin/README.md
new file mode 100644
index 0000000..acaeb80
--- /dev/null
+++ b/struts2-secure-jakarta-multipart-parser-plugin/README.md
@@ -0,0 +1,30 @@
+# Apache Struts 2 Extras - secure Jakarta Multipart parser plugin
+
+This plugin provides a safe implementation of the Jakarta Multipart parser from the Struts Core. It can be used
+to mitigate vulnerability described in the [S2-045](http://struts.apache.org/docs/s2-045.html) Security Bulletin.
+
+You should use this plugin in case you are not able to migrated to the latest Struts version.
+
+## Supported versions
+
+This plugins can be used with the Apache Struts versions 2.5.8 till 2.5.5, if you are running the Apache Struts 2.5.8+
+you must migrate to the latest version which is [Struts 2.5.10.1](http://struts.apache.org/announce.html#a20170307).
+
+## How to use it
+
+Just drop the jar into `WEB-INF/libs` folder and restart your application, you can use on of the existing PoCs
+to test if everything is ok.
+
+If you are using Maven to build your project, please add the following dependency into your pom:
+
+```xml
+<dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-secure-jakarta-multipart-parser-plugin</artifactId>
+ <version>[VERSION]</version>
+</dependency>
+```
+
+## Remarks
+
+Please be aware that this is just a temporary solution, you should consider migration to the latest version anyway.
[09/13] struts-extras git commit: Extends log with proper info about
resolves vulnerabilities
Posted by lu...@apache.org.
Extends log with proper info about resolves vulnerabilities
Project: http://git-wip-us.apache.org/repos/asf/struts-extras/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts-extras/commit/ef4bd112
Tree: http://git-wip-us.apache.org/repos/asf/struts-extras/tree/ef4bd112
Diff: http://git-wip-us.apache.org/repos/asf/struts-extras/diff/ef4bd112
Branch: refs/heads/master
Commit: ef4bd1124d48a58df3122f9e8425c87b08b5543c
Parents: b8182e3
Author: Lukasz Lenart <lu...@gmail.com>
Authored: Mon Mar 20 07:40:08 2017 +0100
Committer: Lukasz Lenart <lu...@gmail.com>
Committed: Mon Mar 20 07:40:08 2017 +0100
----------------------------------------------------------------------
.../org/apache/struts/extras/SecureJakartaMultipartParser.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts-extras/blob/ef4bd112/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
----------------------------------------------------------------------
diff --git a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
index acd6b4d..0595879 100644
--- a/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
+++ b/struts2-secure-jakarta-multipart-parser-plugin/src/main/java/org/apache/struts/extras/SecureJakartaMultipartParser.java
@@ -35,7 +35,7 @@ public class SecureJakartaMultipartParser extends JakartaMultiPartRequest {
public SecureJakartaMultipartParser() {
LOG.info("This is a secure implementation of the Struts Jakarta Multipart parser, " +
- "this implementation is safe against vulnerability described in the S2-045 Security Bulletin.");
+ "this implementation is safe against vulnerability described in the S2-045/S2-046 Security Bulletins.");
}
@Inject