You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Deborah White <De...@doj.ca.gov> on 2017/07/20 22:08:47 UTC
FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to
2.3.32
Please see the content below. Fairly new to Struts and I'm guessing someone out there has been through this. Any help would be appreciated.
-----Original Message-----
From: Lukasz Lenart (JIRA) [mailto:jira@apache.org]
Sent: Thursday, July 13, 2017 9:32 PM
To: Deborah White <De...@doj.ca.gov>
Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
[ https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832 ]
Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
------------------------------------------------------------
The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
was (Author: lukaszlenart):
The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
> Migrating Struts 2.3.16.3 to 2.3.32
> -----------------------------------
>
> Key: WW-4815
> URL: https://issues.apache.org/jira/browse/WW-4815
> Project: Struts 2
> Issue Type: Temp
> Components: Core
> Affects Versions: 2.3.16.3
> Reporter: Deborah White
> Fix For: 2.3.32
>
>
> I need some assistance and am hoping you can provide some insight. I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability. Also, if there is something I can instead include in my struts.xml file that would override, that would be better. Thank you.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
RE: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
to 2.3.32
Posted by Deborah White <De...@doj.ca.gov>.
Sorry, as I said I'm new. Will this allow access to the excluded packages (ognl)?
-----Original Message-----
From: Yasser Zamani [mailto:yasser.zamani@live.com]
Sent: Thursday, July 20, 2017 10:55 PM
To: Struts Developers List <de...@struts.apache.org>
Subject: Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
Hi there, welcome to dev list :)
Do you need access to excluded packages in your JSPs? I had similar issue and you can see my solution at [1]. I did not need to rewrite any thing and a find/replace did all needed changes. Please review my solution if also resolves your one. If not, please feel free continue here for a solution :)
[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
On 7/21/2017 2:38 AM, Deborah White wrote:
> Please see the content below. Fairly new to Struts and I'm guessing someone out there has been through this. Any help would be appreciated.
>
> -----Original Message-----
> From: Lukasz Lenart (JIRA) [mailto:jira@apache.org]
> Sent: Thursday, July 13, 2017 9:32 PM
> To: Deborah White <De...@doj.ca.gov>
> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
> to 2.3.32
>
>
> [
> https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.
> plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1608683
> 2#comment-16086832 ]
>
> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
> ------------------------------------------------------------
>
> The best place to ask such question is to subscribe to the User
> Mailing list as there are more eyes to help you
> http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>
>
> was (Author: lukaszlenart):
> The best place to ask such question is to subscribe to the User
> Mailing list as there are more eyes to help you
> http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>
>> Migrating Struts 2.3.16.3 to 2.3.32
>> -----------------------------------
>>
>> Key: WW-4815
>> URL: https://issues.apache.org/jira/browse/WW-4815
>> Project: Struts 2
>> Issue Type: Temp
>> Components: Core
>> Affects Versions: 2.3.16.3
>> Reporter: Deborah White
>> Fix For: 2.3.32
>>
>>
>> I need some assistance and am hoping you can provide some insight. I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability. Also, if there is something I can instead include in my struts.xml file that would override, that would be better. Thank you.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.4.14#64029)
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
Re: FW: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3
to 2.3.32
Posted by Yasser Zamani <ya...@live.com>.
Hi there, welcome to dev list :)
Do you need access to excluded packages in your JSPs? I had similar
issue and you can see my solution at [1]. I did not need to rewrite any
thing and a find/replace did all needed changes. Please review my
solution if also resolves your one. If not, please feel free continue
here for a solution :)
[1] https://github.com/apache/struts/pull/125#issuecomment-293608411
On 7/21/2017 2:38 AM, Deborah White wrote:
> Please see the content below. Fairly new to Struts and I'm guessing someone out there has been through this. Any help would be appreciated.
>
> -----Original Message-----
> From: Lukasz Lenart (JIRA) [mailto:jira@apache.org]
> Sent: Thursday, July 13, 2017 9:32 PM
> To: Deborah White <De...@doj.ca.gov>
> Subject: [jira] [Comment Edited] (WW-4815) Migrating Struts 2.3.16.3 to 2.3.32
>
>
> [ https://issues.apache.org/jira/browse/WW-4815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16086832#comment-16086832 ]
>
> Lukasz Lenart edited comment on WW-4815 at 7/14/17 4:31 AM:
> ------------------------------------------------------------
>
> The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure out in which expression you use this class and move the logic to an action.
>
>
> was (Author: lukaszlenart):
> The best place to ask such question is to subscribe to the User Mailing list as there are more eyes to help you http://struts.apache.org/mail.html
>
> And to answer your question: there is no safe way to modify the exclusion, I would rather figure in which expression you use this class and move the logic to an action.
>
>> Migrating Struts 2.3.16.3 to 2.3.32
>> -----------------------------------
>>
>> Key: WW-4815
>> URL: https://issues.apache.org/jira/browse/WW-4815
>> Project: Struts 2
>> Issue Type: Temp
>> Components: Core
>> Affects Versions: 2.3.16.3
>> Reporter: Deborah White
>> Fix For: 2.3.32
>>
>>
>> I need some assistance and am hoping you can provide some insight. I know this is probably not the place to do this, but I'm not finding answers elsewhere. I am updating from 2.3.16.3 to 2.3.32 due to the vulnerability. The problem is that the excluded classes in the struts-default.xml are being used by my application and I certainly do not have time to do a rewrite.
>> This is the Warning I get and then my application does not run as it should because it seems it is not forwarding the roles:
>> WARN [com.opensymphony.xwork2.ognl.SecurityMemberAccess] Package of target [org.apache.struts2.dispatcher.StrutsRequestWrapper@42f3b47f] or package of member [public boolean javax.servlet.http.HttpServletRequestWrapper.isUserInRole(java.lang.String)] are excluded!
>> I need to know how I can safely modify the struts-default.xml and still have the fix for the vulnerability. Also, if there is something I can instead include in my struts.xml file that would override, that would be better. Thank you.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.4.14#64029)
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org