You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2021/01/02 17:45:03 UTC
[struts] branch master updated: WW-4945 Logs missing action
invocation as WARN
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/master by this push:
new dcc53ae WW-4945 Logs missing action invocation as WARN
dcc53ae is described below
commit dcc53aebf983f6c0a48932262facb81f5d82815c
Author: Lukasz Lenart <lu...@apache.org>
AuthorDate: Sat Jan 2 18:44:55 2021 +0100
WW-4945 Logs missing action invocation as WARN
---
core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java b/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
index e4c1645..8b8c647 100644
--- a/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
+++ b/core/src/main/java/org/apache/struts2/views/jsp/TagUtils.java
@@ -23,6 +23,8 @@ import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.config.ConfigurationException;
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.ValueStackFactory;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import org.apache.struts2.RequestUtils;
import org.apache.struts2.ServletActionContext;
import org.apache.struts2.dispatcher.ApplicationMap;
@@ -41,6 +43,8 @@ import java.util.Map;
public class TagUtils {
+ private static final Logger LOG = LogManager.getLogger(TagUtils.class);
+
public static ValueStack getStack(PageContext pageContext) {
HttpServletRequest req = (HttpServletRequest) pageContext.getRequest();
ValueStack stack = ServletActionContext.getValueStack(req);
@@ -88,6 +92,9 @@ public class TagUtils {
ActionInvocation invocation = context.getActionInvocation();
if (invocation == null) {
+ TagUtils.LOG.warn("ActionInvocation is null, tag has been executed out of the Action and this can lead " +
+ "to a security vulnerability, please read http://struts.apache.org/security/#never-expose-jsp-files-directly !");
+
ActionMapping mapping = mapper.getMapping(request,
Dispatcher.getInstance().getConfigurationManager());