You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2021/01/02 17:45:03 UTC

[struts] branch master updated: WW-4945 Logs missing action invocation as WARN

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


The following commit(s) were added to refs/heads/master by this push:
     new dcc53ae  WW-4945 Logs missing action invocation as WARN
dcc53ae is described below

commit dcc53aebf983f6c0a48932262facb81f5d82815c
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Sat Jan 2 18:44:55 2021 +0100

    WW-4945 Logs missing action invocation as WARN
---
 core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java b/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
index e4c1645..8b8c647 100644
--- a/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
+++ b/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
@@ -23,6 +23,8 @@ import com.opensymphony.xwork2.ActionInvocation;
 import com.opensymphony.xwork2.config.ConfigurationException;
 import com.opensymphony.xwork2.util.ValueStack;
 import com.opensymphony.xwork2.util.ValueStackFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.struts2.RequestUtils;
 import org.apache.struts2.ServletActionContext;
 import org.apache.struts2.dispatcher.ApplicationMap;
@@ -41,6 +43,8 @@ import java.util.Map;
 
 public class TagUtils {
 
+    private static final Logger LOG = LogManager.getLogger(TagUtils.class);
+
     public static ValueStack getStack(PageContext pageContext) {
         HttpServletRequest req = (HttpServletRequest) pageContext.getRequest();
         ValueStack stack = ServletActionContext.getValueStack(req);
@@ -88,6 +92,9 @@ public class TagUtils {
         ActionInvocation invocation = context.getActionInvocation();
 
         if (invocation == null) {
+            TagUtils.LOG.warn("ActionInvocation is null, tag has been executed out of the Action and this can lead " +
+                "to a security vulnerability, please read http://struts.apache.org/security/#never-expose-jsp-files-directly !");
+
             ActionMapping mapping = mapper.getMapping(request,
                     Dispatcher.getInstance().getConfigurationManager());