You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2017/03/20 13:32:55 UTC
svn commit: r1008685 - in /websites/production/struts/content: announce.html
docs/s2-045.html docs/s2-046.html docs/security-bulletins.html
docs/spring-plugin.html docs/struts-23-to-25-migration.html download.html
index.html
Author: lukaszlenart
Date: Mon Mar 20 13:32:54 2017
New Revision: 1008685
Log:
Updates production
Added:
websites/production/struts/content/docs/s2-046.html
Modified:
websites/production/struts/content/announce.html
websites/production/struts/content/docs/s2-045.html
websites/production/struts/content/docs/security-bulletins.html
websites/production/struts/content/docs/spring-plugin.html
websites/production/struts/content/docs/struts-23-to-25-migration.html
websites/production/struts/content/download.html
websites/production/struts/content/index.html
Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Mon Mar 20 13:32:54 2017
@@ -124,6 +124,33 @@
Skip to: <a href="announce-2016.html">Announcements - 2016</a>
</p>
+<h4 id="a20170320">20 march 2017 - Struts Extras secure Multipart plugins General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that the Apache Struts 2 Secure Jakarta Multipart parser plugin
+and Apache Struts 2 Secure Jakarta Stream Multipart parser plugin are available as a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>These releases address one critical security vulnerability:</p>
+
+<ul>
+ <li>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser
+<a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a></li>
+</ul>
+
+<p>Those plugins were released to allow users running older versions of the Apache Struts secure their applications in easy way.
+You don’t have to migrate to the latest version (which is still preferable) but by applying one of those plugins,
+your application won’t be vulnerable anymore.</p>
+
+<p>It is a drop-in installation, just select a proper jar gile and copy it to <code class="highlighter-rouge">WEB-INF/lib</code> folder.
+Please read the <a href="https://github.com/apache/struts-extras">README</a> for more details and supported Apache Struts versions.</p>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
+<p>Should any issues arise with your use of any version of the Struts framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download those plugins from our <a href="download.cgi#struts-extras">download</a> page.</p>
+
<h4 id="a20170307">7 march 2017 - Struts 2.5.10.1 General Availability</h4>
<p>The Apache Struts group is pleased to announce that Struts 2.5.10.1 is available as a “General Availability”
Modified: websites/production/struts/content/docs/s2-045.html
==============================================================================
--- websites/production/struts/content/docs/s2-045.html (original)
+++ websites/production/struts/content/docs/s2-045.html Mon Mar 20 13:32:54 2017
@@ -139,7 +139,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>High</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2332.
html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious <code>Content-Type</code> value. If the <code>Content-Type</code> value isn't valid an exception is thrown which is then used to display an error me
ssage to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code> and throw away request with suspicious values not matching <code>multipart/form-data</code>.</p><p>Other option is to remove the <a shape="rect" href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack, just define your own custom stack and set it as a default - please read <a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-with-
every-action.html">How do we configure an Interceptor to be used with every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><h2 id="S2-045-Summary">Summary</h2>Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2
332.html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-045-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious <code>Content-Type</code> value. If the <code>Content-Type</code> value isn't valid an exception is thrown which is then used to display an erro
r message to a user.</p><h2 id="S2-045-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser.</p><h2 id="S2-045-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-045-Workaround">Workaround</h2><p>Implement a Servlet filter which will validate <code>Content-Type</code> and throw away request with suspicious values not matching <code>multipart/form-data</code>.</p><p>Other option is to remove the <a shape="rect" href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack, just define your own custom stack and set it as a default - please read <a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-w
ith-every-action.html">How do we configure an Interceptor to be used with every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><interceptors>
<interceptor-stack name="defaultWithoutUpload">
<interceptor-ref name="exception"/>
Added: websites/production/struts/content/docs/s2-046.html
==============================================================================
--- websites/production/struts/content/docs/s2-046.html (added)
+++ websites/production/struts/content/docs/s2-046.html Mon Mar 20 13:32:54 2017
@@ -0,0 +1,180 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushCss.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>S2-046</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="security-bulletins.html">Security Bulletins</a> > <a href="s2-046.html">S2-046</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">S2-046</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=68719612">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=68719612">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=68719612">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=68719612">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=68719612">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=68719612">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><h2 id="S2-046-Summary">Summary</h2>Possible RCE when performing file upload based on Jakarta Multipart parser (similar to <a shape="rect" href="s2-045.html">S2-045</a>)<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible RCE when performing file upload <span>based on Jakarta Multipart parser</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Critical</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade
to <a shape="rect" href="version-notes-2332.html">Struts 2.3.32</a> or <a shape="rect" href="version-notes-25101.html">Struts 2.5.10.1</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.3.5 - Struts 2.3.31, Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts 2.5.10</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Chris Frohoff <cfrohoff at qualcomm dot com>, Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn>, <span>Alvaro </span>Munoz <alvaro dot munoz at hpe dot com></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2017-5638</p></td></tr></tbody></table></div><h2 id="S2-046-Problem">Problem</h2><p>It is possible to perform a RCE attack with a malicious&
#160;<code>Content-Disposition</code> value or with improper <code>Content-Length</code> header. If the <code>Content-Dispostion</code> / <code>Content-Length</code> value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in <a shape="rect" href="s2-045.html">S2-045</a> (<span>CVE-2017-5638).</span></p><h2 id="S2-046-Solution">Solution</h2><p>If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1.</p><h2 id="S2-046-Backwardcompatibility">Backward compatibility</h2><p>No backward incompatibility issues are expected.</p><h2 id="S2-046-Workaround">Workaround</h2><p>You can switch to a different <a shape="rect" href="https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries">implementation</a> of the Multipart parser. We have already prepared two plugins whic
h can be used as a drop-in solution, please find them <a shape="rect" class="external-link" href="https://github.com/apache/struts-extras" rel="nofollow">here</a>. You can use them when you are running the Apache Struts 2.3.8 - 2.5.5 (in case of using the default <a shape="rect" class="external-link" href="https://cwiki.apache.org//confluence/display/WW/File%20upload#FileUpload-AdvancedConfiguration">Jakarta</a> multipart parser) or the Apache Struts 2.3.20 - 2.5.5 (when using an alternative <a shape="rect" class="external-link" href="https://cwiki.apache.org//confluence/display/WW/File%20upload#FileUpload-AlternateLibraries">jakarta-stream</a> multipart parser).</p><p>Another option is to remove the <a shape="rect" href="file-upload-interceptor.html">File Upload Interceptor</a> from the stack, just define your own custom stack and set it as a default - please read <a shape="rect" href="how-do-we-configure-an-interceptor-to-be-used-with-every-action.html">How do
we configure an Interceptor to be used with every Action</a>. This will work only for Struts 2.5.8 - 2.5.10.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><interceptors>
+ <interceptor-stack name="defaultWithoutUpload">
+ <interceptor-ref name="exception"/>
+ <interceptor-ref name="alias"/>
+ <interceptor-ref name="servletConfig"/>
+ <interceptor-ref name="i18n"/>
+ <interceptor-ref name="prepare"/>
+ <interceptor-ref name="chain"/>
+ <interceptor-ref name="scopedModelDriven"/>
+ <interceptor-ref name="modelDriven"/>
+ <interceptor-ref name="checkbox"/>
+ <interceptor-ref name="datetime"/>
+ <interceptor-ref name="multiselect"/>
+ <interceptor-ref name="staticParams"/>
+ <interceptor-ref name="actionMappingParams"/>
+ <interceptor-ref name="params"/>
+ <interceptor-ref name="conversionError"/>
+ <interceptor-ref name="validation">
+ <param name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="workflow">
+ <param name="excludeMethods">input,back,cancel,browse</param>
+ </interceptor-ref>
+ <interceptor-ref name="debugging"/>
+ </interceptor-stack>
+</interceptors>
+<default-interceptor-ref name="defaultWithoutUpload"/></pre>
+</div></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>
Modified: websites/production/struts/content/docs/security-bulletins.html
==============================================================================
--- websites/production/struts/content/docs/security-bulletins.html (original)
+++ websites/production/struts/content/docs/security-bulletins.html Mon Mar 20 13:32:54 2017
@@ -126,7 +126,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p>The following security bulletins are available:</p>
-<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> —
; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li></ul></div>
+<ul class="childpages-macro"><li><a shape="rect" href="s2-001.html">S2-001</a> — <span class="smalltext">Remote code exploit on form validation error</span></li><li><a shape="rect" href="s2-002.html">S2-002</a> — <span class="smalltext">Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags</span></li><li><a shape="rect" href="s2-003.html">S2-003</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows OGNL statement execution</span></li><li><a shape="rect" href="s2-004.html">S2-004</a> — <span class="smalltext">Directory traversal vulnerability while serving static content</span></li><li><a shape="rect" href="s2-005.html">S2-005</a> — <span class="smalltext">XWork ParameterInterceptors bypass allows remote command execution</span></li><li><a shape="rect" href="s2-006.html">S2-006</a> — <span class="smalltext">Multiple Cross-Site Scripting (XSS) in XWork generated error pages</span></li><li><a shape="rect" hr
ef="s2-007.html">S2-007</a> — <span class="smalltext">User input is evaluated as an OGNL expression when there's a conversion error</span></li><li><a shape="rect" href="s2-008.html">S2-008</a> — <span class="smalltext">Multiple critical vulnerabilities in Struts2</span></li><li><a shape="rect" href="s2-009.html">S2-009</a> — <span class="smalltext">ParameterInterceptor vulnerability allows remote command execution</span></li><li><a shape="rect" href="s2-010.html">S2-010</a> — <span class="smalltext">When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes</span></li><li><a shape="rect" href="s2-011.html">S2-011</a> — <span class="smalltext">Long request parameter names might significantly promote the effectiveness of DOS attacks</span></li><li><a shape="rect" href="s2-012.html">S2-012</a> — <span class="smalltext">Showcase app vulnerability allows remote command execution</span></li>
<li><a shape="rect" href="s2-013.html">S2-013</a> — <span class="smalltext">A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution</span></li><li><a shape="rect" href="s2-014.html">S2-014</a> — <span class="smalltext">A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks</span></li><li><a shape="rect" href="s2-015.html">S2-015</a> — <span class="smalltext">A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution.</span></li><li><a shape="rect" href="s2-016.html">S2-016</a> — <span class="smalltext">A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution</span></li><li><a shape="rect" href="s2-017.html">S2-017</a> — <span class="sma
lltext">A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects</span></li><li><a shape="rect" href="s2-018.html">S2-018</a> — <span class="smalltext">Broken Access Control Vulnerability in Apache Struts2</span></li><li><a shape="rect" href="s2-019.html">S2-019</a> — <span class="smalltext">Dynamic Method Invocation disabled by default</span></li><li><a shape="rect" href="s2-020.html">S2-020</a> — <span class="smalltext">Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation)</span></li><li><a shape="rect" href="s2-021.html">S2-021</a> — <span class="smalltext">Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation</span></li><li><a shape="rect" href="s2-022.html">S2-022</a> — <span class="smalltext">Extends excluded params in CookieInt
erceptor to avoid manipulation of Struts' internals</span></li><li><a shape="rect" href="s2-023.html">S2-023</a> — <span class="smalltext">Generated value of token can be predictable</span></li><li><a shape="rect" href="s2-024.html">S2-024</a> — <span class="smalltext">Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker</span></li><li><a shape="rect" href="s2-025.html">S2-025</a> — <span class="smalltext">Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files</span></li><li><a shape="rect" href="s2-026.html">S2-026</a> — <span class="smalltext">Special top object can be used to access Struts' internals</span></li><li><a shape="rect" href="s2-027.html">S2-027</a> — <span class="smalltext">TextParseUtil.translateVariables does not filter malicious OGNL expressions</span></li><li><a shape="rect" href="s2-028.html">S2-028</a> — <span class="smalltext">Use of a JRE with broken URLDecoder implementation may l
ead to XSS vulnerability in Struts 2 based web applications.</span></li><li><a shape="rect" href="s2-029.html">S2-029</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.</span></li><li><a shape="rect" href="s2-030.html">S2-030</a> — <span class="smalltext">Possible XSS vulnerability in I18NInterceptor</span></li><li><a shape="rect" href="s2-031.html">S2-031</a> — <span class="smalltext">XSLTResult can be used to parse arbitrary stylesheet</span></li><li><a shape="rect" href="s2-032.html">S2-032</a> — <span class="smalltext">Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" href="s2-033.html">S2-033</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.</span></li><li><a shape="rect" h
ref="s2-034.html">S2-034</a> — <span class="smalltext">OGNL cache poisoning can lead to DoS vulnerability</span></li><li><a shape="rect" href="s2-035.html">S2-035</a> — <span class="smalltext">Action name clean up is error prone</span></li><li><a shape="rect" href="s2-036.html">S2-036</a> — <span class="smalltext">Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029)</span></li><li><a shape="rect" href="s2-037.html">S2-037</a> — <span class="smalltext">Remote Code Execution can be performed when using REST Plugin.</span></li><li><a shape="rect" href="s2-038.html">S2-038</a> — <span class="smalltext">It is possible to bypass token validation and perform a CSRF attack</span></li><li><a shape="rect" href="s2-039.html">S2-039</a> — <span class="smalltext">Getter as action method leads to security bypass</span></li><li><a shape="rect" href="s2-040.html">S2-040</a> —
; <span class="smalltext">Input validation bypass using existing default action method.</span></li><li><a shape="rect" href="s2-041.html">S2-041</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-042.html">S2-042</a> — <span class="smalltext">Possible path traversal in the Convention plugin</span></li><li><a shape="rect" href="s2-043.html">S2-043</a> — <span class="smalltext">Using the Config Browser plugin in production</span></li><li><a shape="rect" href="s2-044.html">S2-044</a> — <span class="smalltext">Possible DoS attack when using URLValidator</span></li><li><a shape="rect" href="s2-045.html">S2-045</a> — <span class="smalltext">Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.</span></li><li><a shape="rect" href="s2-046.html">S2-046</a> — <span class="smalltext">Possible RCE when performing file upload based on Jakarta Multipart parser
(similar to S2-045)</span></li></ul></div>
</div>
<div class="tabletitle">
@@ -141,6 +141,9 @@ under the License.
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
+ <span class="smalltext">(Apache Struts 2 Documentation)</span>
+ <br>
+ $page.link($child)
<span class="smalltext">(Apache Struts 2 Documentation)</span>
<br>
$page.link($child)
Modified: websites/production/struts/content/docs/spring-plugin.html
==============================================================================
--- websites/production/struts/content/docs/spring-plugin.html (original)
+++ websites/production/struts/content/docs/spring-plugin.html Mon Mar 20 13:32:54 2017
@@ -139,7 +139,18 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><a shape="rect" class="external-link" href="http://www.springframework.org" rel="nofollow">Spring</a> is a lightweight container, providing centralized, automated configuration and wiring of your application objects, using a technique called "Dependency Injection"</p></div></div><p>The Spring Plugin works by overriding the Struts <a shape="rect" href="objectfactory.html">ObjectFactory</a> to enhance the creation of core framework objects. When an object is to be created, it uses the <code>class</code> attribute in the Struts configuration to correspond to the <code>id</code> attribute in the Spring configuration. If not found, the class will try to be created as usual, then be autowired by Spring. In the case of Actio
ns, Spring 2's <a shape="rect" class="external-link" href="http://www.springframework.org/docs/reference/beans.html#beans-factory-scopes" rel="nofollow">bean scope feature</a> can be used to scope an Action instance to the session, application, or a custom scope, providing advanced customization above the default per-request scoping.</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">Spring Actions are Optional!</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Remember: <strong>registering Actions with Spring is not required</strong>. The Spring alternative is there if you need it, but the framework will automatically create Actions objects from the action mappings. But, if you want to use Spring to inject your Actions, the option is there.</p></div></div><h4 id="SpringPlugin-Features">Features</h4><ul><li>Allow Actions, Interceptors, a
nd Results to be created by Spring</li><li>Struts-created objects can be autowired by Spring after creation</li><li>Provides two interceptors that autowire actions, if not using the Spring ObjectFactory</li></ul><h2 id="SpringPlugin-Usage">Usage</h2><p>To enable Spring integration, simply include struts2-spring-plugin-x-x-x.jar in your application.</p><p>If you are using more than one object factory, (for example, by including both the Spring and Plexus plugins in your application,) you will need to set the struts.objectFactory property in <a shape="rect" href="strutsproperties.html">struts.properties</a> or in one of several XML files via <a shape="rect" href="constant-configuration.html">Constant Configuration</a>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>struts.properties</b></div><div class="codeContent panelContent pdl">
+ <div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490016578158 {padding: 0px;}
+div.rbtoc1490016578158 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490016578158 li {margin-left: 0px;padding-left: 0px;}
+
+/*]]>*/</style></p><div class="toc-macro rbtoc1490016578158">
+<ul class="toc-indentation"><li><a shape="rect" href="#SpringPlugin-Description">Description</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SpringPlugin-Features">Features</a></li></ul>
+</li><li><a shape="rect" href="#SpringPlugin-Usage">Usage</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#SpringPlugin-Autowiring">Autowiring</a></li><li><a shape="rect" href="#SpringPlugin-InitializingActionsfromSpring">Initializing Actions from Spring</a></li><li><a shape="rect" href="#SpringPlugin-ClassReloading">Class Reloading</a></li><li><a shape="rect" href="#SpringPlugin-Settings">Settings</a></li><li><a shape="rect" href="#SpringPlugin-Installation">Installation</a></li></ul>
+</li></ul>
+</div><h2 id="SpringPlugin-Description">Description</h2><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p><a shape="rect" class="external-link" href="http://www.springframework.org" rel="nofollow">Spring</a> is a lightweight container, providing centralized, automated configuration and wiring of your application objects, using a technique called "Dependency Injection"</p></div></div><p>The Spring Plugin works by overriding the Struts <a shape="rect" href="objectfactory.html">ObjectFactory</a> to enhance the creation of core framework objects. When an object is to be created, it uses the <code>class</code> attribute in the Struts configuration to correspond to the <code>id</code> attribute in the Spring configuration. If not found, the class will try to be created as usual, then be autowired by Spring. In t
he case of Actions, Spring 2's <a shape="rect" class="external-link" href="http://www.springframework.org/docs/reference/beans.html#beans-factory-scopes" rel="nofollow">bean scope feature</a> can be used to scope an Action instance to the session, application, or a custom scope, providing advanced customization above the default per-request scoping.</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">Spring Actions are Optional!</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Remember: <strong>registering Actions with Spring is not required</strong>. The Spring alternative is there if you need it, but the framework will automatically create Actions objects from the action mappings. But, if you want to use Spring to inject your Actions, the option is there.</p></div></div><h4 id="SpringPlugin-Features">Features</h4><ul><li>Allow Actions,
Interceptors, and Results to be created by Spring</li><li>Struts-created objects can be autowired by Spring after creation</li><li>Provides two interceptors that autowire actions, if not using the Spring ObjectFactory</li></ul><h2 id="SpringPlugin-Usage">Usage</h2><p>To enable Spring integration, simply include struts2-spring-plugin-x-x-x.jar in your application.</p><p>If you are using more than one object factory, (for example, by including both the Spring and Plexus plugins in your application,) you will need to set the struts.objectFactory property in <a shape="rect" href="strutsproperties.html">struts.properties</a> or in one of several XML files via <a shape="rect" href="constant-configuration.html">Constant Configuration</a>:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>struts.properties</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">struts.objectFactory = spring</pre>
</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>struts.xml</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;"><struts>
Modified: websites/production/struts/content/docs/struts-23-to-25-migration.html
==============================================================================
--- websites/production/struts/content/docs/struts-23-to-25-migration.html (original)
+++ websites/production/struts/content/docs/struts-23-to-25-migration.html Mon Mar 20 13:32:54 2017
@@ -139,13 +139,13 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h3 id="Struts2.3to2.5migration-/*<![CDATA[*/div.rbtoc1488974363321{padding:0px;}div.rbtoc1488974363321ul{list-style:disc;margin-left:0px;}div.rbtoc1488974363321li{margin-left:0px;padding-left:0px;}/*]]>*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style type="text/css">/*<![CDATA[*/
-div.rbtoc1488974363321 {padding: 0px;}
-div.rbtoc1488974363321 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1488974363321 li {margin-left: 0px;padding-left: 0px;}
+ <div id="ConfluenceContent"><h3 id="Struts2.3to2.5migration-/*<![CDATA[*/div.rbtoc1490016579651{padding:0px;}div.rbtoc1490016579651ul{list-style:disc;margin-left:0px;}div.rbtoc1490016579651li{margin-left:0px;padding-left:0px;}/*]]>*/#Struts2.3to2.5migration-Dependencies#Struts2.3to2.5migrat"><style type="text/css">/*<![CDATA[*/
+div.rbtoc1490016579651 {padding: 0px;}
+div.rbtoc1490016579651 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1490016579651 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></h3><div class="toc-macro rbtoc1488974363321">
-<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-"></a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li></ul>
+/*]]>*/</style></h3><div class="toc-macro rbtoc1490016579651">
+<ul class="toc-indentation"><li><a shape="rect" href="#Struts2.3to2.5migration-"></a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Dependencies">Dependencies</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-DTD">DTD</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tagsattributes">Tags attributes</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Divtag">Div tag</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Fieldnames">Field names</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Tiles">Tiles</a></li><li><a shape="rect" href="#Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work directory of ApplicationServer/ServletContainer</a></li></ul>
</div><h3 id="Struts2.3to2.5migration-Dependencies">Dependencies</h3><p>Update Struts dependencies to 2.5.<br clear="none"><br clear="none">Remove the following plugin dependencies because they were dropped and aren't supported anymore.</p><ul><li>Dojo Plugin</li><li>Codebehind Plugin</li><li>JSF Plugin</li><li>Struts1 Plugin</li></ul><h3 id="Struts2.3to2.5migration-StrutsPrepareAndExecuteFilter">StrutsPrepareAndExecuteFilter</h3><p>The <code>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</code> was moved to <code>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</code>.<br clear="none"><br clear="none">In web.xml replace this:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><filter>
<filter-name>struts2</filter-name>
@@ -202,7 +202,7 @@ public void setStrng(String str) {...}</
</listener>
</pre>
-</div></div><p> </p><p>Optionally you may remove TilesDefinitions from XML and annotate actions instead. See <a shape="rect" href="tiles-plugin.html">Tiles Plugin</a> for more details.</p><p> </p><p> </p></div>
+</div></div><p> </p><p>Optionally you may remove TilesDefinitions from XML and annotate actions instead. See <a shape="rect" href="tiles-plugin.html">Tiles Plugin</a> for more details.</p><h3 id="Struts2.3to2.5migration-Temp/WorkdirectoryofApplicationServer/ServletContainer">Temp/Work directory of ApplicationServer/ServletContainer</h3><p>Users reported it was necessary for them to remove temp/work directory of their ApplicationServer/ServletContainer. Likely to force server to recompile JSPs.</p><p> </p><p> </p></div>
</div>
Modified: websites/production/struts/content/download.html
==============================================================================
--- websites/production/struts/content/download.html (original)
+++ websites/production/struts/content/download.html Mon Mar 20 13:32:54 2017
@@ -324,6 +324,68 @@
</ul>
+<a class="anchor" name="struts-extras"></a>
+<h2>Struts Extras</h2>
+
+<ul>
+ <li>
+ <a href="https://github.com/apache/struts-extras">README</a>
+ </li>
+
+ <li>Apache Struts 2 Secure Jakarta Multipart parser plugin:
+ <ul>
+ <li>
+ <a href="[preferred]struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0.jar
+ </a>
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.asc">PGP</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.md5">MD5</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0.jar.sha1">SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Source:
+ <ul>
+ <li>
+ <a href="[preferred]struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip
+ </a>
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.md5">PGP</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.asc">MD5</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-multipart-parser-plugin/1.0/struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip.sha1">SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Apache Struts 2 Secure Jakarta Stream Multipart parser plugin:
+ <ul>
+ <li>
+ <a href="[preferred]struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0.jar
+ </a>
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.asc">PGP</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.md5">MD5</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0.jar.sha1">SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+ <li>Source:
+ <ul>
+ <li>
+ <a href="[preferred]struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip">
+ struts2-secure-jakarta-multipart-parser-plugin-1.0-source-release.zip
+ </a>
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.md5">PGP</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.asc">MD5</a>]
+ [<a href="http://www.apache.org/dist/struts/struts-extras/struts2-secure-jakarta-stream-multipart-parser-plugin/1.0/struts2-secure-jakarta-stream-multipart-parser-plugin-1.0-source-release.zip.sha1">SHA1</a>]
+ </li>
+ </ul>
+ </li>
+
+</ul>
+
<a class="anchor" name="prior-releases"></a>
<h2>Prior releases</h2>
<p>
Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Mon Mar 20 13:32:54 2017
@@ -165,6 +165,13 @@
<div class="column col-md-4">
</div>
<div class="column col-md-4">
+ <h2>Apache Struts Extras GA</h2>
+ <p>
+ The Struts Extras secure Multipart plugins General Availability, use them to secure your application against critical security
+ vulnerability reported in <a href="/docs/s2-045.html">S2-045</a>, <a href="/docs/s2-046.html">S2-046</a>,
+ read more in <a href="announce.html#a20170320">Announcement</a> or in
+ <a href="https://github.com/apache/struts-extras">README</a>
+ </p>
</div>
<div class="column col-md-4">
</div>