You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Apache Wiki <wi...@apache.org> on 2006/03/23 02:33:21 UTC

[Struts Wiki] Update of "StrutsUpgradeNotes128to129" by NiallPemberton

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.

The following page has been changed by NiallPemberton:
http://wiki.apache.org/struts/StrutsUpgradeNotes128to129

The comment on the change is:
Add Struts 1.2.9 Upgrade Notes

New page:
#pragma section-numbers on
[[TableOfContents]]

= Upgrading Struts 1.2.8 to Struts 1.2.9 =
'''N.B.''' The primary motivation for Struts 1.2.9 was to fix three security issues which have been identified - see below for more details. For full details of changes in version 1.2.9 see the [http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html Release Notes].

Only the '''struts.jar''' ''needs'' to be upgraded - all Struts dependencies remain the same as Struts 1.2.8. The only other requirement to upgrade is the new '''Cancel''' processing - see secutiry issue '''2.1 Bug 38374 - Validation always skipped with Globals.CANCEL_KEY''' below.

= Security Issues =

== Bug 38374 - Validation always skipped with Globals.CANCEL_KEY ==

=== Issue: Cancel Processing ===

The Struts <html:cancel> tag sets a request parameter ({{{org.apache.struts.taglib.html.Constants.CANCEL}}}) which causes '''validation''' to be ''skipped''.

Spoofing this request parameter however, could be used maliciously in order to circumvent an applications validation and proceed with the request processing with erroneous and potentially damaging data.

See [http://issues.apache.org/bugzilla/show_bug.cgi?id=38374 Bug 38374] for full details.

=== Resolution: Cancellable Property ===

A new '''cancellable''' property has been introduced which indicates whether an action is ''allowed'' to be cancelled or not. In Struts 1.2.9 this is set to {{{true}}} or {{{false}}} for an action in the struts-config.xml using the {{{<set-property>}}} notation. From Struts 1.3.x a new {{{cancellable}}} attribute has been added to the {{{<action>}}} element.

Now any action where the '''cancellable''' property is not set to {{{true}}} will throw an {{{InvalidCancelException}}}.

=== Upgrade Implications ===

Any existing applications that use the '''Cancel''' processing will need to modify their struts-config.xml to set the  '''cancellable''' property for actions which require it.

In Struts 1.2.9 the '''<set-property>''' is used to set the '''cancellable''' property for an action....
{{{
    <action path="/fooAction"
                input="/foo.jsp"
                validate="true">
         <set-property property="cancellable" value="true"/>
         <forward name="success" path="/bar.jsp"/>
    </action>
}}}

>>From Struts 1.3.x a new '''cancellable''' attribute can be used....
{{{
    <action path="/fooAction"
            input="/foo.jsp"
            validate="true"
            cancellable="true">
        <forward name="success" path="/bar.jsp"/>
    </action>
}}}

In both Struts 1.2.9 and Struts 1.3.x an exception handler can be configured to handle the {{{InvalidCancelException}}}
{{{
    <action path="/fooAction"
            input="/foo.jsp"
            validate="true"
            cancellable="true">
        <forward name="success" path="/bar.jsp"/>
        <exception key="errors.cancel"
                   type="org.apache.struts.action.InvalidCancelException"
                   path="/foo.jsp"/>
    </action>
}}}

'''N.B.''' The ''struts-examples'' webapp, shipped in the binary distribution, has an example/test page for cancel handling in the ''exercise'' module.

== Bug 38534 - DOS attack, application hack ==

=== Issue: Denial of Service (DOS) ===

!ActionForm's which involve multipart handling expose the '''!MultipartRequestHandler''' through the form's ''getMultipartRequestHandler()'' method - this in turn gives access to the '''!ActionServlet''' and through that to the '''!ServletContext'''. Appropriately named request parameters could be spoofed in order to set attributes in the !ServletContext during form population. For example Struts configuration objects stored in !ServletContext could be replaced rendering the application inoperable.

See [http://issues.apache.org/bugzilla/show_bug.cgi?id=38534 Bug 38534] for full details.

=== Resolution: Remove MultipartRequestHandler until after Form Population  ===

>>From Struts 1.2.9 the !MultipartRequestHandler is only stored in the !ActionForm '''after''' the form population has been completed. Malicious use of this mechanism in a DOS attack will now result in a !NestedNullException being throw by !BeanUtils during form population.

=== Upgrade Implications ===

None - simply upgarding to Struts 1.2.9 or later removes the ability for someone to launch a DOS attack in this way.

== Bug 38749 - XSS vulnerability in DispatchAction ==

=== Issue: Cross Site Scripting (XSS) Vulnerability ===

!DispatchAction (and !ActionDispatcher) were rendering user input when throwing an exception for invalid user input, which could be used to launch a [http://en.wikipedia.org/wiki/XSS XSS] attack.

See [http://issues.apache.org/bugzilla/show_bug.cgi?id=38749 Bug 38749] for full details.

=== Resolution: User Input No Longer Rendered ===
!DispatchAction and !ActionDispatcher have been modified to no longer render user input.

=== Upgrade Implications ===

None - simply upgarding to Struts 1.2.9 or later removes this vulnerability.

= EventDispatchAction and EventActionDispatcher =
Although Struts 1.2.9 primarily fixes the above security issues and a few other bugs new [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/DispatchAction.html DispatchAction] and [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/ActionDispatcher.html ActionDispatcher] flavours were introduced. See the [http://struts.apache.org/struts-doc-1.2.9/api/index.html JavaDocs] for more details:

 * [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/EventDispatchAction.html EventDispatchAction]
 * [http://struts.apache.org/struts-doc-1.2.9/api/org/apache/struts/actions/EventActionDispatcher.html EventActionDispatcher]

= Commons Validator =
Struts 1.2.9 is distributed with [http://jakarta.apache.org/commons/validator/ Commons Validator] 1.1.4. However you may wish to upgrade to the latest version of of Validator to take adavantage of new features or bug fixes. The current release of Validator (as of 22 March 2006) is 1.2.0...

   * [http://jakarta.apache.org/commons/validator/changes-report.html Validator Release History] 
   * [http://wiki.apache.org/jakarta-commons/ValidatorVersion120 Changes/Upgrade Notes for Validator 1.2.0]

...however, hopefully a Validator 1.3.0 release will be available soon.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org