You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2016/06/14 07:07:41 UTC
[VOTE][FASTTRACK] Struts 2.3.29
The Struts 2.3.29 test build is now available. It includes the latest
security patch which fixes few possible vulnerabilities:
- Action name clean up is error prone
- Forced double OGNL evaluation, when evaluated on raw user input in
tag attributes, may lead to remote code execution (similar to S2-029)
- Remote Code Execution can be performed when using REST Plugin.
- It is possible to bypass token validation and perform a CSRF attack
- Getter as action method leads to security bypass
- Input validation bypass using existing default action method.
- Possible DoS attack when using URLValidator
For details and the rationale behind these changes, please consult the
corresponding security bulletins:
* https://cwiki.apache.org/confluence/display/WW/S2-035
* https://cwiki.apache.org/confluence/display/WW/S2-036
* https://cwiki.apache.org/confluence/display/WW/S2-037
* https://cwiki.apache.org/confluence/display/WW/S2-038
* https://cwiki.apache.org/confluence/display/WW/S2-039
* https://cwiki.apache.org/confluence/display/WW/S2-040
* https://cwiki.apache.org/confluence/display/WW/S2-041
Except the above, few other issues were resolved as well:
[WW-4608] - Json result type breaks
[WW-4618] - MessageStorePreResultListener doesn't store messages for
3rd-party RedirectResult subclasses
[WW-4622] - [struts2-tiles-plugin] [2.3.28]
[StrutsWildcardServletTilesApplicationContext] getRealPath
[WW-4623] - Multiple tiles.xml in web.xml
[WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
[WW-4626] - EmailValidator flags .cat emails as invalid
[WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
serialized twice since jdk1.7_80
[WW-4629] - Tile definition Inheritance/overriding is broken in
Struts2 tiles plugin 2.3.28+
[WW-4630] - <s:submit> generates a value attribute for type=image
which violates W3C
[WW-4633] - ClassCastException while generating report using Struts
2.3.28 and jasperreports 4.5.1
Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.29/
Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/
Once you have had a chance to review the test build, please respond
with a vote on its quality:
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)
Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.
This is a "fast-track" release vote. If we have a positive vote after
24 hours (at least three binding +1s and more +1s than -1s), the
release may be submitted for mirroring and announced to the usual
channels.
The website download link will include the mirroring timestamp
parameter [1], which limits the selection of mirrors to those that
have been refreshed since the indicated time and date. (After 24
hours, we *must* remove the timestamp parameter from the website link,
to avoid unnecessary server load.) In the case of a fast-track
release, the email announcement will not link directly to
<download.cgi>, but to <downloads.html>, so that we can control use of
the timestamp parameter.
[1] http://apache.org/dev/mirrors.html#use
- The Apache Struts group.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
Dario,
So you are doing
eventList(%{#list.sequence}).description
instead of
<s:set var="sequence" value="#list.sequence" />
eventList(%{#sequence}).description
which works for me also
or do you have some code of what does not work?
On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
> Hi Greg,
>
> Many thanks for the suggestion, we were going through that when we posted
> the comment on JIRA WWW-4641.
> The issue indeed only happens when the value is automatically extracted
> from the form rather than provided.
> But we have too many usages (over a thousand) of <s:tag
> name="....%{...}..." /> without a value attribute to be able to "fix" all
> of them with such a work-around in a reasonable time-frame.
>
> Regards,
> Dario.
>
> -----Original Message-----
> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> Sent: 22 June 2016 10:15
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > not really sure on your example, but this works, is this the same?
> >
> > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> > var="sequence" value="#list.sequence" /> .....
> > <s:textfield name="eventList(%{#sequence}).description"
> > value="%{#list.description}" maxlength="60" size="60" /> .....
> > </s:iterator>
>
> WoW! I'm impressed :)
>
> Greg
> can you post your answer here as well
> https://issues.apache.org/jira/browse/WW-4641
>
> Maybe that will solve Martin's issue :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
oops, without the typos
....for
<s:hidden id="xxxx" name="eventList(%{#list.sequence}).id.eventCategory"
value="%{#list.id.eventCategory}" />
renders
<input id="xxxx" type="hidden" value="myvalue" name="
eventList(1).id.eventCategory">
which is correct ie it has a 1
On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
> Hi Greg,
>
> Many thanks for the suggestion, we were going through that when we posted
> the comment on JIRA WWW-4641.
> The issue indeed only happens when the value is automatically extracted
> from the form rather than provided.
> But we have too many usages (over a thousand) of <s:tag
> name="....%{...}..." /> without a value attribute to be able to "fix" all
> of them with such a work-around in a reasonable time-frame.
>
> Regards,
> Dario.
>
> -----Original Message-----
> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> Sent: 22 June 2016 10:15
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > not really sure on your example, but this works, is this the same?
> >
> > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> > var="sequence" value="#list.sequence" /> .....
> > <s:textfield name="eventList(%{#sequence}).description"
> > value="%{#list.description}" maxlength="60" size="60" /> .....
> > </s:iterator>
>
> WoW! I'm impressed :)
>
> Greg
> can you post your answer here as well
> https://issues.apache.org/jira/browse/WW-4641
>
> Maybe that will solve Martin's issue :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
From the docs:
https://struts.apache.org/docs/iterator.html
The id attribute is deprecated in Struts 2.1.x, and has been replaced by
the var attribute.
Which version are you upgrading from?
On 22 June 2016 at 10:57, <da...@javelingroup.com> wrote:
> Hi Greg,
>
> Providing a value explicitly is not typical, most would provide a name and
> expect Apache Struts framework to retrieve the value.
> Example illustrated here in the documentation:
> https://struts.apache.org/docs/type-conversion.html#TypeConversion-AnadvancedexampleforindexedListsandMaps
>
> See FILE: MyBeanAction.jsp
>
> <s:iterator value="beanList" id="bean">
> <s:textfield name="beanList(%{bean.id}).name" />
> </s:iterator>
>
>
> That is the same as in simpler cases:
> https://struts.apache.org/docs/tag-syntax.html
>
> <s:textfield name="postalCode"/>
>
> ..."If there is a 'postalCode' property on the value stack, its value will
> be set to the input field"...
>
>
> Notice there is no value attribute provided to the tag in either case, the
> tag just evaluates the name expression for you to retrieve the value.
>
> Thanks,
> Dario.
>
> -----Original Message-----
> From: Greg Huber [mailto:gregh3269@gmail.com]
> Sent: 22 June 2016 10:44
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> ....for
>
> <s:hidden id="xxxx" name="eventList({#list.sequence}).id.eventCategory"
> value="%{#list.id.eventCategory}" />
>
> renders
>
> <input id="xxxx" type="hidden" value="myvalue" name="
> eventList(1).id.facilityCategory">
>
> which is correct ie it has a 1
>
> On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
>
> > Hi Greg,
> >
> > Many thanks for the suggestion, we were going through that when we
> > posted the comment on JIRA WWW-4641.
> > The issue indeed only happens when the value is automatically
> > extracted from the form rather than provided.
> > But we have too many usages (over a thousand) of <s:tag
> > name="....%{...}..." /> without a value attribute to be able to "fix"
> > all of them with such a work-around in a reasonable time-frame.
> >
> > Regards,
> > Dario.
> >
> > -----Original Message-----
> > From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> > Sent: 22 June 2016 10:15
> > To: Struts Developers List <de...@struts.apache.org>
> > Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
> >
> > 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > > not really sure on your example, but this works, is this the same?
> > >
> > > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> > > var="sequence" value="#list.sequence" /> .....
> > > <s:textfield name="eventList(%{#sequence}).description"
> > > value="%{#list.description}" maxlength="60" size="60" /> .....
> > > </s:iterator>
> >
> > WoW! I'm impressed :)
> >
> > Greg
> > can you post your answer here as well
> > https://issues.apache.org/jira/browse/WW-4641
> >
> > Maybe that will solve Martin's issue :)
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> > additional commands, e-mail: dev-help@struts.apache.org
> >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise private information. If you have
> > received it in error, please notify the sender immediately and delete
> > the original. Any other use of the email by you is prohibited.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> > additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
The only difference here is () instead of []
2016-06-22 11:57 GMT+02:00 <da...@javelingroup.com>:
> Hi Greg,
>
> Providing a value explicitly is not typical, most would provide a name and expect Apache Struts framework to retrieve the value.
> Example illustrated here in the documentation: https://struts.apache.org/docs/type-conversion.html#TypeConversion-AnadvancedexampleforindexedListsandMaps
>
> See FILE: MyBeanAction.jsp
>
> <s:iterator value="beanList" id="bean">
> <s:textfield name="beanList(%{bean.id}).name" />
> </s:iterator>
>
>
> That is the same as in simpler cases: https://struts.apache.org/docs/tag-syntax.html
>
> <s:textfield name="postalCode"/>
>
> ..."If there is a 'postalCode' property on the value stack, its value will be set to the input field"...
>
>
> Notice there is no value attribute provided to the tag in either case, the tag just evaluates the name expression for you to retrieve the value.
>
> Thanks,
> Dario.
>
> -----Original Message-----
> From: Greg Huber [mailto:gregh3269@gmail.com]
> Sent: 22 June 2016 10:44
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> ....for
>
> <s:hidden id="xxxx" name="eventList({#list.sequence}).id.eventCategory"
> value="%{#list.id.eventCategory}" />
>
> renders
>
> <input id="xxxx" type="hidden" value="myvalue" name="
> eventList(1).id.facilityCategory">
>
> which is correct ie it has a 1
>
> On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
>
>> Hi Greg,
>>
>> Many thanks for the suggestion, we were going through that when we
>> posted the comment on JIRA WWW-4641.
>> The issue indeed only happens when the value is automatically
>> extracted from the form rather than provided.
>> But we have too many usages (over a thousand) of <s:tag
>> name="....%{...}..." /> without a value attribute to be able to "fix"
>> all of them with such a work-around in a reasonable time-frame.
>>
>> Regards,
>> Dario.
>>
>> -----Original Message-----
>> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
>> Sent: 22 June 2016 10:15
>> To: Struts Developers List <de...@struts.apache.org>
>> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>>
>> 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
>> > not really sure on your example, but this works, is this the same?
>> >
>> > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
>> > var="sequence" value="#list.sequence" /> .....
>> > <s:textfield name="eventList(%{#sequence}).description"
>> > value="%{#list.description}" maxlength="60" size="60" /> .....
>> > </s:iterator>
>>
>> WoW! I'm impressed :)
>>
>> Greg
>> can you post your answer here as well
>> https://issues.apache.org/jira/browse/WW-4641
>>
>> Maybe that will solve Martin's issue :)
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
>> additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>> ________________________________
>>
>> This message is for the designated recipient only and may contain
>> privileged, proprietary, or otherwise private information. If you have
>> received it in error, please notify the sender immediately and delete
>> the original. Any other use of the email by you is prohibited.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
>> additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
RE: [VOTE][FASTTRACK] Struts 2.3.29
Posted by da...@JavelinGroup.com.
Hi Greg,
Providing a value explicitly is not typical, most would provide a name and expect Apache Struts framework to retrieve the value.
Example illustrated here in the documentation: https://struts.apache.org/docs/type-conversion.html#TypeConversion-AnadvancedexampleforindexedListsandMaps
See FILE: MyBeanAction.jsp
<s:iterator value="beanList" id="bean">
<s:textfield name="beanList(%{bean.id}).name" />
</s:iterator>
That is the same as in simpler cases: https://struts.apache.org/docs/tag-syntax.html
<s:textfield name="postalCode"/>
..."If there is a 'postalCode' property on the value stack, its value will be set to the input field"...
Notice there is no value attribute provided to the tag in either case, the tag just evaluates the name expression for you to retrieve the value.
Thanks,
Dario.
-----Original Message-----
From: Greg Huber [mailto:gregh3269@gmail.com]
Sent: 22 June 2016 10:44
To: Struts Developers List <de...@struts.apache.org>
Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
....for
<s:hidden id="xxxx" name="eventList({#list.sequence}).id.eventCategory"
value="%{#list.id.eventCategory}" />
renders
<input id="xxxx" type="hidden" value="myvalue" name="
eventList(1).id.facilityCategory">
which is correct ie it has a 1
On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
> Hi Greg,
>
> Many thanks for the suggestion, we were going through that when we
> posted the comment on JIRA WWW-4641.
> The issue indeed only happens when the value is automatically
> extracted from the form rather than provided.
> But we have too many usages (over a thousand) of <s:tag
> name="....%{...}..." /> without a value attribute to be able to "fix"
> all of them with such a work-around in a reasonable time-frame.
>
> Regards,
> Dario.
>
> -----Original Message-----
> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> Sent: 22 June 2016 10:15
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > not really sure on your example, but this works, is this the same?
> >
> > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> > var="sequence" value="#list.sequence" /> .....
> > <s:textfield name="eventList(%{#sequence}).description"
> > value="%{#list.description}" maxlength="60" size="60" /> .....
> > </s:iterator>
>
> WoW! I'm impressed :)
>
> Greg
> can you post your answer here as well
> https://issues.apache.org/jira/browse/WW-4641
>
> Maybe that will solve Martin's issue :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> additional commands, e-mail: dev-help@struts.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete
> the original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> additional commands, e-mail: dev-help@struts.apache.org
>
>
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
....for
<s:hidden id="xxxx" name="eventList({#list.sequence}).id.eventCategory"
value="%{#list.id.eventCategory}" />
renders
<input id="xxxx" type="hidden" value="myvalue" name="
eventList(1).id.facilityCategory">
which is correct ie it has a 1
On 22 June 2016 at 10:21, <da...@javelingroup.com> wrote:
> Hi Greg,
>
> Many thanks for the suggestion, we were going through that when we posted
> the comment on JIRA WWW-4641.
> The issue indeed only happens when the value is automatically extracted
> from the form rather than provided.
> But we have too many usages (over a thousand) of <s:tag
> name="....%{...}..." /> without a value attribute to be able to "fix" all
> of them with such a work-around in a reasonable time-frame.
>
> Regards,
> Dario.
>
> -----Original Message-----
> From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
> Sent: 22 June 2016 10:15
> To: Struts Developers List <de...@struts.apache.org>
> Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
>
> 2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > not really sure on your example, but this works, is this the same?
> >
> > <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> > var="sequence" value="#list.sequence" /> .....
> > <s:textfield name="eventList(%{#sequence}).description"
> > value="%{#list.description}" maxlength="60" size="60" /> .....
> > </s:iterator>
>
> WoW! I'm impressed :)
>
> Greg
> can you post your answer here as well
> https://issues.apache.org/jira/browse/WW-4641
>
> Maybe that will solve Martin's issue :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the email by you is prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
RE: [VOTE][FASTTRACK] Struts 2.3.29
Posted by da...@JavelinGroup.com.
Hi Greg,
Many thanks for the suggestion, we were going through that when we posted the comment on JIRA WWW-4641.
The issue indeed only happens when the value is automatically extracted from the form rather than provided.
But we have too many usages (over a thousand) of <s:tag name="....%{...}..." /> without a value attribute to be able to "fix" all of them with such a work-around in a reasonable time-frame.
Regards,
Dario.
-----Original Message-----
From: Lukasz Lenart [mailto:lukaszlenart@apache.org]
Sent: 22 June 2016 10:15
To: Struts Developers List <de...@struts.apache.org>
Subject: Re: [VOTE][FASTTRACK] Struts 2.3.29
2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> not really sure on your example, but this works, is this the same?
>
> <s:iterator var="list" value="eventList" status="rowstatus"> <s:set
> var="sequence" value="#list.sequence" /> .....
> <s:textfield name="eventList(%{#sequence}).description"
> value="%{#list.description}" maxlength="60" size="60" /> .....
> </s:iterator>
WoW! I'm impressed :)
Greg
can you post your answer here as well
https://issues.apache.org/jira/browse/WW-4641
Maybe that will solve Martin's issue :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
2016-06-22 11:10 GMT+02:00 Greg Huber <gr...@gmail.com>:
> not really sure on your example, but this works, is this the same?
>
> <s:iterator var="list" value="eventList" status="rowstatus">
> <s:set var="sequence" value="#list.sequence" />
> .....
> <s:textfield name="eventList(%{#sequence}).description"
> value="%{#list.description}" maxlength="60" size="60" />
> .....
> </s:iterator>
WoW! I'm impressed :)
Greg
can you post your answer here as well
https://issues.apache.org/jira/browse/WW-4641
Maybe that will solve Martin's issue :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
not really sure on your example, but this works, is this the same?
<s:iterator var="list" value="eventList" status="rowstatus">
<s:set var="sequence" value="#list.sequence" />
.....
<s:textfield name="eventList(%{#sequence}).description"
value="%{#list.description}" maxlength="60" size="60" />
.....
</s:iterator>
On 22 June 2016 at 10:00, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-06-22 10:56 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > If the style %{#entry.entryId} did not work it would completely break my
> > system? Which is working OK.
>
> It's a case when you have a list and dynamically fetching elements
> from this list, i.e.:
>
> // given
> String[] list = new String[]{"foo", "bar};
> int index = 1;
>
> // when
> <s:someTag name="list[%{index}]" />
>
> // then
> <someTag name=list[1] value="bar"/>
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
2016-06-22 10:56 GMT+02:00 Greg Huber <gr...@gmail.com>:
> If the style %{#entry.entryId} did not work it would completely break my
> system? Which is working OK.
It's a case when you have a list and dynamically fetching elements
from this list, i.e.:
// given
String[] list = new String[]{"foo", "bar};
int index = 1;
// when
<s:someTag name="list[%{index}]" />
// then
<someTag name=list[1] value="bar"/>
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
If the style %{#entry.entryId} did not work it would completely break my
system? Which is working OK.
On 22 June 2016 at 09:47, Lukasz Lenart <lu...@apache.org> wrote:
> 2016-06-22 10:37 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > As there are web.xml, struts.xml and dtd changes for v2.5, testing prior
> > releases is problematic, so best to switch to the latest versions if
> > upgrading. Also latest versions will get more much testing.
>
> The problem is that the mentioned issue affects 2.5 as well :/
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
2016-06-22 10:37 GMT+02:00 Greg Huber <gr...@gmail.com>:
> As there are web.xml, struts.xml and dtd changes for v2.5, testing prior
> releases is problematic, so best to switch to the latest versions if
> upgrading. Also latest versions will get more much testing.
The problem is that the mentioned issue affects 2.5 as well :/
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
As there are web.xml, struts.xml and dtd changes for v2.5, testing prior
releases is problematic, so best to switch to the latest versions if
upgrading. Also latest versions will get more much testing.
Cheers Greg
On 22 June 2016 at 09:28, Lukasz Lenart <lu...@apache.org> wrote:
> The vote is closed but it would be good if you could next time help us
> testing a new release.
>
>
> Thanks in advance
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2016-06-21 16:15 GMT+02:00 dario.liberman@javelingroup.com
> <da...@javelingroup.com>:
> > -1
> >
> > Hi,
> >
> > Should 2.3.29 be recalled based on the regressions found for all Struts
> tag name attribute expressions?
> > See: https://issues.apache.org/jira/browse/WW-4641
> >
> > Regards,
> >
> > Dario dot Liberman at JavelinGroup dot com
> >
> > On 2016-06-14 08:07 (+0100), Lukasz Lenart <lu...@apache.org>
> wrote:
> >> The Struts 2.3.29 test build is now available. It includes the latest
> >> security patch which fixes few possible vulnerabilities:
> >> - Action name clean up is error prone
> >> - Forced double OGNL evaluation, when evaluated on raw user input in
> >> tag attributes, may lead to remote code execution (similar to S2-029)
> >> - Remote Code Execution can be performed when using REST Plugin.
> >> - It is possible to bypass token validation and perform a CSRF attack
> >> - Getter as action method leads to security bypass
> >> - Input validation bypass using existing default action method.
> >> - Possible DoS attack when using URLValidator
> >>
> >> For details and the rationale behind these changes, please consult the
> >> corresponding security bulletins:
> >> * https://cwiki.apache.org/confluence/display/WW/S2-035
> >> * https://cwiki.apache.org/confluence/display/WW/S2-036
> >> * https://cwiki.apache.org/confluence/display/WW/S2-037
> >> * https://cwiki.apache.org/confluence/display/WW/S2-038
> >> * https://cwiki.apache.org/confluence/display/WW/S2-039
> >> * https://cwiki.apache.org/confluence/display/WW/S2-040
> >> * https://cwiki.apache.org/confluence/display/WW/S2-041
> >>
> >> Except the above, few other issues were resolved as well:
> >> [WW-4608] - Json result type breaks
> >> [WW-4618] - MessageStorePreResultListener doesn't store messages for
> >> 3rd-party RedirectResult subclasses
> >> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
> >> [StrutsWildcardServletTilesApplicationContext] getRealPath
> >> [WW-4623] - Multiple tiles.xml in web.xml
> >> [WW-4624] - New Tiles version can not find tiles*.xml files in
> sub-directories
> >> [WW-4626] - EmailValidator flags .cat emails as invalid
> >> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
> >> serialized twice since jdk1.7_80
> >> [WW-4629] - Tile definition Inheritance/overriding is broken in
> >> Struts2 tiles plugin 2.3.28+
> >> [WW-4630] - <s:submit> generates a value attribute for type=image
> >> which violates W3C
> >> [WW-4633] - ClassCastException while generating report using Struts
> >> 2.3.28 and jasperreports 4.5.1
> >>
> >> Release notes:
> >> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
> >>
> >> Distribution:
> >> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
> >>
> >> Maven 2 staging repository:
> >> * https://repository.apache.org/content/repositories/staging/
> >>
> >> Once you have had a chance to review the test build, please respond
> >> with a vote on its quality:
> >>
> >> [ ] Leave at test build
> >> [ ] Alpha
> >> [ ] Beta
> >> [ ] General Availability (GA)
> >>
> >> Everyone who has tested the build is invited to vote. Votes by PMC
> >> members are considered binding. A vote passes if there are at least
> >> three binding +1s and more +1s than -1s.
> >>
> >> This is a "fast-track" release vote. If we have a positive vote after
> >> 24 hours (at least three binding +1s and more +1s than -1s), the
> >> release may be submitted for mirroring and announced to the usual
> >> channels.
> >>
> >> The website download link will include the mirroring timestamp
> >> parameter [1], which limits the selection of mirrors to those that
> >> have been refreshed since the indicated time and date. (After 24
> >> hours, we *must* remove the timestamp parameter from the website link,
> >> to avoid unnecessary server load.) In the case of a fast-track
> >> release, the email announcement will not link directly to
> >> <download.cgi>, but to <downloads.html>, so that we can control use of
> >> the timestamp parameter.
> >>
> >> [1] http://apache.org/dev/mirrors.html#use
> >>
> >> - The Apache Struts group.
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
The vote is closed but it would be good if you could next time help us
testing a new release.
Thanks in advance
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2016-06-21 16:15 GMT+02:00 dario.liberman@javelingroup.com
<da...@javelingroup.com>:
> -1
>
> Hi,
>
> Should 2.3.29 be recalled based on the regressions found for all Struts tag name attribute expressions?
> See: https://issues.apache.org/jira/browse/WW-4641
>
> Regards,
>
> Dario dot Liberman at JavelinGroup dot com
>
> On 2016-06-14 08:07 (+0100), Lukasz Lenart <lu...@apache.org> wrote:
>> The Struts 2.3.29 test build is now available. It includes the latest
>> security patch which fixes few possible vulnerabilities:
>> - Action name clean up is error prone
>> - Forced double OGNL evaluation, when evaluated on raw user input in
>> tag attributes, may lead to remote code execution (similar to S2-029)
>> - Remote Code Execution can be performed when using REST Plugin.
>> - It is possible to bypass token validation and perform a CSRF attack
>> - Getter as action method leads to security bypass
>> - Input validation bypass using existing default action method.
>> - Possible DoS attack when using URLValidator
>>
>> For details and the rationale behind these changes, please consult the
>> corresponding security bulletins:
>> * https://cwiki.apache.org/confluence/display/WW/S2-035
>> * https://cwiki.apache.org/confluence/display/WW/S2-036
>> * https://cwiki.apache.org/confluence/display/WW/S2-037
>> * https://cwiki.apache.org/confluence/display/WW/S2-038
>> * https://cwiki.apache.org/confluence/display/WW/S2-039
>> * https://cwiki.apache.org/confluence/display/WW/S2-040
>> * https://cwiki.apache.org/confluence/display/WW/S2-041
>>
>> Except the above, few other issues were resolved as well:
>> [WW-4608] - Json result type breaks
>> [WW-4618] - MessageStorePreResultListener doesn't store messages for
>> 3rd-party RedirectResult subclasses
>> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
>> [StrutsWildcardServletTilesApplicationContext] getRealPath
>> [WW-4623] - Multiple tiles.xml in web.xml
>> [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
>> [WW-4626] - EmailValidator flags .cat emails as invalid
>> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
>> serialized twice since jdk1.7_80
>> [WW-4629] - Tile definition Inheritance/overriding is broken in
>> Struts2 tiles plugin 2.3.28+
>> [WW-4630] - <s:submit> generates a value attribute for type=image
>> which violates W3C
>> [WW-4633] - ClassCastException while generating report using Struts
>> 2.3.28 and jasperreports 4.5.1
>>
>> Release notes:
>> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
>>
>> Distribution:
>> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
>>
>> Maven 2 staging repository:
>> * https://repository.apache.org/content/repositories/staging/
>>
>> Once you have had a chance to review the test build, please respond
>> with a vote on its quality:
>>
>> [ ] Leave at test build
>> [ ] Alpha
>> [ ] Beta
>> [ ] General Availability (GA)
>>
>> Everyone who has tested the build is invited to vote. Votes by PMC
>> members are considered binding. A vote passes if there are at least
>> three binding +1s and more +1s than -1s.
>>
>> This is a "fast-track" release vote. If we have a positive vote after
>> 24 hours (at least three binding +1s and more +1s than -1s), the
>> release may be submitted for mirroring and announced to the usual
>> channels.
>>
>> The website download link will include the mirroring timestamp
>> parameter [1], which limits the selection of mirrors to those that
>> have been refreshed since the indicated time and date. (After 24
>> hours, we *must* remove the timestamp parameter from the website link,
>> to avoid unnecessary server load.) In the case of a fast-track
>> release, the email announcement will not link directly to
>> <download.cgi>, but to <downloads.html>, so that we can control use of
>> the timestamp parameter.
>>
>> [1] http://apache.org/dev/mirrors.html#use
>>
>> - The Apache Struts group.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by "dario.liberman@javelingroup.com" <da...@javelingroup.com>.
-1
Hi,
Should 2.3.29 be recalled based on the regressions found for all Struts tag name attribute expressions?
See: https://issues.apache.org/jira/browse/WW-4641
Regards,
Dario dot Liberman at JavelinGroup dot com
On 2016-06-14 08:07 (+0100), Lukasz Lenart <lu...@apache.org> wrote:
> The Struts 2.3.29 test build is now available. It includes the latest
> security patch which fixes few possible vulnerabilities:
> - Action name clean up is error prone
> - Forced double OGNL evaluation, when evaluated on raw user input in
> tag attributes, may lead to remote code execution (similar to S2-029)
> - Remote Code Execution can be performed when using REST Plugin.
> - It is possible to bypass token validation and perform a CSRF attack
> - Getter as action method leads to security bypass
> - Input validation bypass using existing default action method.
> - Possible DoS attack when using URLValidator
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-035
> * https://cwiki.apache.org/confluence/display/WW/S2-036
> * https://cwiki.apache.org/confluence/display/WW/S2-037
> * https://cwiki.apache.org/confluence/display/WW/S2-038
> * https://cwiki.apache.org/confluence/display/WW/S2-039
> * https://cwiki.apache.org/confluence/display/WW/S2-040
> * https://cwiki.apache.org/confluence/display/WW/S2-041
>
> Except the above, few other issues were resolved as well:
> [WW-4608] - Json result type breaks
> [WW-4618] - MessageStorePreResultListener doesn't store messages for
> 3rd-party RedirectResult subclasses
> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
> [StrutsWildcardServletTilesApplicationContext] getRealPath
> [WW-4623] - Multiple tiles.xml in web.xml
> [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
> [WW-4626] - EmailValidator flags .cat emails as invalid
> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
> serialized twice since jdk1.7_80
> [WW-4629] - Tile definition Inheritance/overriding is broken in
> Struts2 tiles plugin 2.3.28+
> [WW-4630] - <s:submit> generates a value attribute for type=image
> which violates W3C
> [WW-4633] - ClassCastException while generating report using Struts
> 2.3.28 and jasperreports 4.5.1
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote after
> 24 hours (at least three binding +1s and more +1s than -1s), the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> \u0141ukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Johannes Geppert <jo...@apache.org>.
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)
+1 binding
Johannes Geppert
#################################################
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep
2016-06-14 21:34 GMT-07:00 Lukasz Lenart <lu...@apache.org>:
> 2016-06-14 9:07 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > [ ] Leave at test build
> > [ ] Alpha
> > [ ] Beta
> > [X] General Availability (GA)
>
> +1 binding
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
2016-06-14 9:07 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)
+1 binding
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
2016-06-16 13:52 GMT+02:00 Greg Huber <gr...@gmail.com>:
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [x] General Availability (GA)
>
> +1 (b) ;)
Thanks!
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Greg Huber <gr...@gmail.com>.
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[x] General Availability (GA)
+1 (b) ;)
On 16 June 2016 at 12:39, Lukasz Lenart <lu...@apache.org> wrote:
> One more vote is needed :)
>
> 2016-06-14 9:07 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> > The Struts 2.3.29 test build is now available. It includes the latest
> > security patch which fixes few possible vulnerabilities:
> > - Action name clean up is error prone
> > - Forced double OGNL evaluation, when evaluated on raw user input in
> > tag attributes, may lead to remote code execution (similar to S2-029)
> > - Remote Code Execution can be performed when using REST Plugin.
> > - It is possible to bypass token validation and perform a CSRF attack
> > - Getter as action method leads to security bypass
> > - Input validation bypass using existing default action method.
> > - Possible DoS attack when using URLValidator
> >
> > For details and the rationale behind these changes, please consult the
> > corresponding security bulletins:
> > * https://cwiki.apache.org/confluence/display/WW/S2-035
> > * https://cwiki.apache.org/confluence/display/WW/S2-036
> > * https://cwiki.apache.org/confluence/display/WW/S2-037
> > * https://cwiki.apache.org/confluence/display/WW/S2-038
> > * https://cwiki.apache.org/confluence/display/WW/S2-039
> > * https://cwiki.apache.org/confluence/display/WW/S2-040
> > * https://cwiki.apache.org/confluence/display/WW/S2-041
> >
> > Except the above, few other issues were resolved as well:
> > [WW-4608] - Json result type breaks
> > [WW-4618] - MessageStorePreResultListener doesn't store messages for
> > 3rd-party RedirectResult subclasses
> > [WW-4622] - [struts2-tiles-plugin] [2.3.28]
> > [StrutsWildcardServletTilesApplicationContext] getRealPath
> > [WW-4623] - Multiple tiles.xml in web.xml
> > [WW-4624] - New Tiles version can not find tiles*.xml files in
> sub-directories
> > [WW-4626] - EmailValidator flags .cat emails as invalid
> > [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
> > serialized twice since jdk1.7_80
> > [WW-4629] - Tile definition Inheritance/overriding is broken in
> > Struts2 tiles plugin 2.3.28+
> > [WW-4630] - <s:submit> generates a value attribute for type=image
> > which violates W3C
> > [WW-4633] - ClassCastException while generating report using Struts
> > 2.3.28 and jasperreports 4.5.1
> >
> > Release notes:
> > * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
> >
> > Distribution:
> > * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
> >
> > Maven 2 staging repository:
> > * https://repository.apache.org/content/repositories/staging/
> >
> > Once you have had a chance to review the test build, please respond
> > with a vote on its quality:
> >
> > [ ] Leave at test build
> > [ ] Alpha
> > [ ] Beta
> > [ ] General Availability (GA)
> >
> > Everyone who has tested the build is invited to vote. Votes by PMC
> > members are considered binding. A vote passes if there are at least
> > three binding +1s and more +1s than -1s.
> >
> > This is a "fast-track" release vote. If we have a positive vote after
> > 24 hours (at least three binding +1s and more +1s than -1s), the
> > release may be submitted for mirroring and announced to the usual
> > channels.
> >
> > The website download link will include the mirroring timestamp
> > parameter [1], which limits the selection of mirrors to those that
> > have been refreshed since the indicated time and date. (After 24
> > hours, we *must* remove the timestamp parameter from the website link,
> > to avoid unnecessary server load.) In the case of a fast-track
> > release, the email announcement will not link directly to
> > <download.cgi>, but to <downloads.html>, so that we can control use of
> > the timestamp parameter.
> >
> > [1] http://apache.org/dev/mirrors.html#use
> >
> > - The Apache Struts group.
> >
> >
> > Regards
> > --
> > Łukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.29
Posted by Lukasz Lenart <lu...@apache.org>.
One more vote is needed :)
2016-06-14 9:07 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> The Struts 2.3.29 test build is now available. It includes the latest
> security patch which fixes few possible vulnerabilities:
> - Action name clean up is error prone
> - Forced double OGNL evaluation, when evaluated on raw user input in
> tag attributes, may lead to remote code execution (similar to S2-029)
> - Remote Code Execution can be performed when using REST Plugin.
> - It is possible to bypass token validation and perform a CSRF attack
> - Getter as action method leads to security bypass
> - Input validation bypass using existing default action method.
> - Possible DoS attack when using URLValidator
>
> For details and the rationale behind these changes, please consult the
> corresponding security bulletins:
> * https://cwiki.apache.org/confluence/display/WW/S2-035
> * https://cwiki.apache.org/confluence/display/WW/S2-036
> * https://cwiki.apache.org/confluence/display/WW/S2-037
> * https://cwiki.apache.org/confluence/display/WW/S2-038
> * https://cwiki.apache.org/confluence/display/WW/S2-039
> * https://cwiki.apache.org/confluence/display/WW/S2-040
> * https://cwiki.apache.org/confluence/display/WW/S2-041
>
> Except the above, few other issues were resolved as well:
> [WW-4608] - Json result type breaks
> [WW-4618] - MessageStorePreResultListener doesn't store messages for
> 3rd-party RedirectResult subclasses
> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
> [StrutsWildcardServletTilesApplicationContext] getRealPath
> [WW-4623] - Multiple tiles.xml in web.xml
> [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
> [WW-4626] - EmailValidator flags .cat emails as invalid
> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
> serialized twice since jdk1.7_80
> [WW-4629] - Tile definition Inheritance/overriding is broken in
> Struts2 tiles plugin 2.3.28+
> [WW-4630] - <s:submit> generates a value attribute for type=image
> which violates W3C
> [WW-4633] - ClassCastException while generating report using Struts
> 2.3.28 and jasperreports 4.5.1
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> This is a "fast-track" release vote. If we have a positive vote after
> 24 hours (at least three binding +1s and more +1s than -1s), the
> release may be submitted for mirroring and announced to the usual
> channels.
>
> The website download link will include the mirroring timestamp
> parameter [1], which limits the selection of mirrors to those that
> have been refreshed since the indicated time and date. (After 24
> hours, we *must* remove the timestamp parameter from the website link,
> to avoid unnecessary server load.) In the case of a fast-track
> release, the email announcement will not link directly to
> <download.cgi>, but to <downloads.html>, so that we can control use of
> the timestamp parameter.
>
> [1] http://apache.org/dev/mirrors.html#use
>
> - The Apache Struts group.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org