You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2016/03/17 09:32:29 UTC
svn commit: r982993 - in /websites/production/struts/content/docs:
s2-028.html s2-029.html s2-030.html security.html version-notes-2325.html
version-notes-2326.html
Author: lukaszlenart
Date: Thu Mar 17 08:32:29 2016
New Revision: 982993
Log:
Updates production
Added:
websites/production/struts/content/docs/version-notes-2326.html
Removed:
websites/production/struts/content/docs/version-notes-2325.html
Modified:
websites/production/struts/content/docs/s2-028.html
websites/production/struts/content/docs/s2-029.html
websites/production/struts/content/docs/s2-030.html
websites/production/struts/content/docs/security.html
Modified: websites/production/struts/content/docs/s2-028.html
==============================================================================
--- websites/production/struts/content/docs/s2-028.html (original)
+++ websites/production/struts/content/docs/s2-028.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major version, preferably 1.8.
Alternatively upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2325">Struts 2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" class="external-link" href="http://whitehatsec.com" rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded p
arameter value including multi-byte characters.</p><p>Struts 2 used the standard JRE URLDecoder to decode parameter values. <span>Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.</p><p>Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25, which includes and uses a safe URLDecoder implementation from Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
+ <div id="ConfluenceContent"><h2 id="S2-028-Summary">Summary</h2>Use of a JRE with broken URLDecoder implementation may lead to XSS vulnerability in Struts 2 based web applications.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Affects of a cross-site scripting vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade runtime JRE to a recent major version, preferably 1.8.
Alternatively upgrade to <a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>WhiteHat Security (<a shape="rect" class="external-link" href="http://whitehatsec.com" rel="nofollow">whitehatsec.com</a>)</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">-</span></p></td></tr></tbody></table></div><h2 id="S2-028-Problem">Problem</h2><p>When using a single byte page encoding such as ISO-8895-1, an attacker might submit a non-spec URL-encoded parameter value including multi-byte characters.
</p><p>Struts 2 used the standard JRE URLDecoder to decode parameter values. <span>Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. In later JREs the issue was fixed, best known solution is found in JRE 1.8.</span></p><h2 id="S2-028-Solution">Solution</h2><p>Upgrade runtime JRE/JDK, preferably to the most recent 1.8 version.</p><p>Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.26, which includes and uses a safe URLDecoder implementation from Apache Tomcat</span></p><h2 id="S2-028-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-028-Workaround">Workaround</h2><p>Use UTF-8 for page and parameter encoding.</p><h2 id="S2-028-FurtherReference">Further Reference</h2><p><style>
.jira-issue {
padding: 0 0 0 2px;
line-height: 20px;
Modified: websites/production/struts/content/docs/s2-029.html
==============================================================================
--- websites/production/struts/content/docs/s2-029.html (original)
+++ websites/production/struts/content/docs/s2-029.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user input in tag's attributes.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Alternative
ly upgrade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2325">Struts 2.3.25</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com - <a shape="rect" class="external-link" href="http://www.coverity.com/" rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double evaluation of attributes' values assigned
to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
+ <div id="ConfluenceContent"><h2 id="S2-029-Summary">Summary</h2>Double OGNL evaluation when using raw user input in tag's attributes.<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible Remote Code Execution vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Important</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Always validate incoming parameters' values when re-assigning them to certain Struts' tags attributes. Alternative
ly upgrade to <a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Romain Gaucher rgaucher at coverity dot com - <a shape="rect" class="external-link" href="http://www.coverity.com/" rel="nofollow">Coverity</a></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">CVE-2016-0785</span></p></td></tr></tbody></table></div><h2 id="S2-029-Problem">Problem</h2><p>The Apache Struts frameworks performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a
value that will be evaluated again when a tag's attributes will be rendered.</p><h2 id="S2-029-Solution">Solution</h2><p>Adding a proper validation of each value that's coming in and it's used in tag's attributes. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.26.</span></p><h2 id="S2-029-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-029-Workaround">Workaround</h2><p>Not possible</p></div>
</div>
Modified: websites/production/struts/content/docs/s2-030.html
==============================================================================
--- websites/production/struts/content/docs/s2-030.html (original)
+++ websites/production/struts/content/docs/s2-030.html Thu Mar 17 08:32:29 2016
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in <code>I18NInterceptor</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible XSS vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> object constructed by <code>I18NInterceptor</code> as it may contain user specific string which may leads
to XSS vulnerability.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/" rel="nofollow">M<span>iliaris</span></a><span> </span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses <code>I18NInterceptor</code> to allow users and developers switch language used in the framework and an application built on top of it. The problem is that the in
terceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language selected by user based on <code>I18NInterceptor</code> always escape the string before presenting it to the user. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.25.</span></p><h2 id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.25</p><h2 id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a shape="rect" class="external-link" href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html">StringEscapeUtils</a> from the Apache Commons to escape the string.</p></div>
+ <div id="ConfluenceContent"><h2 id="S2-030-Summary">Summary</h2>Possible XSS vulnerability in <code>I18NInterceptor</code><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Possible XSS vulnerability</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Do not expose parts of <code>Locale</code> object constructed by <code>I18NInterceptor</code> as it may contain user specific string which may leads
to XSS vulnerability. Alternatively upgrade to <a shape="rect" href="version-notes-2326.html">Struts 2.3.26</a>.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.24.1</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Paolo Perliti paolo dot perliti at miliaris dot it - <a shape="rect" class="external-link" href="http://www.miliaris.it/" rel="nofollow">M<span>iliaris</span></a><span> </span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2016-2162</p></td></tr></tbody></table></div><h2 id="S2-030-Problem">Problem</h2><p>The Apache Struts framework uses <code>I18NInterceptor</code> to allow users and developers switch
language used in the framework and an application built on top of it. The problem is that the interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.</p><h2 id="S2-030-Solution">Solution</h2><p>If you want present language selected by user based on <code>I18NInterceptor</code> always escape the string before presenting it to the user. Alternatively <span style="line-height: 1.42857;">upgrade to Struts 2.3.26.</span></p><h2 id="S2-030-Backwardcompatibility">Backward compatibility</h2><p>No issues expected when upgrading to Struts 2.3.26</p><h2 id="S2-030-Workaround">Workaround</h2><p>When needed you can use <a shape="rect" class="external-link" href="https://commons.apache.org/proper/commons-lang/javadocs/api-3.4/org/apache/commons/lang3/StringEscapeUtils.html">StringEscapeUtils</a> from the Apache Common
s to escape the string.</p></div>
</div>
Modified: websites/production/struts/content/docs/security.html
==============================================================================
--- websites/production/struts/content/docs/security.html (original)
+++ websites/production/struts/content/docs/security.html Thu Mar 17 08:32:29 2016
@@ -139,11 +139,11 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1457693901922 {padding: 0px;}
-div.rbtoc1457693901922 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1457693901922 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1458203471142 {padding: 0px;}
+div.rbtoc1458203471142 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1458203471142 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1457693901922">
+/*]]>*/</style></p><div class="toc-macro rbtoc1458203471142">
<ul class="toc-indentation"><li><a shape="rect" href="#Security-Securitytips">Security tips</a>
<ul class="toc-indentation"><li><a shape="rect" href="#Security-RestrictaccesstotheConfigBrowser">Restrict access to the Config Browser</a></li><li><a shape="rect" href="#Security-Don'tmixdifferentaccesslevelsinthesamenamespace">Don't mix different access levels in the same namespace</a></li><li><a shape="rect" href="#Security-NeverexposeJSPfilesdirectly">Never expose JSP files directly</a></li><li><a shape="rect" href="#Security-DisabledevMode">Disable devMode</a></li><li><a shape="rect" href="#Security-UseUTF-8encoding">Use UTF-8 encoding</a></li></ul>
</li><li><a shape="rect" href="#Security-Internalsecuritymechanism">Internal security mechanism</a>
@@ -177,7 +177,7 @@ div.rbtoc1457693901922 li {margin-left:
<description>Don't assign users to this role</description>
<role-name>no-users</role-name>
</security-role></pre>
-</div></div><p>The best approach is to used the both solutions.</p><h4 id="Security-DisabledevMode">Disable devMode</h4><p>The <code style="line-height: 1.4285715;">devMode</code> is very useful option back can expose your application presenting too many informations of application's internals. Please always disable the <code>devMode</code> before deploying your application to a production environment.</p><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always use <code>UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The best approach is to used the both solutions.</p><h4 id="Security-DisabledevMode">Disable devMode</h4><p>The <code style="line-height: 1.4285715;">devMode</code> is a very useful option during development time, allowing for deep introspection and debugging into you app.</p><p>However, in production it exposes your application to be presenting too many informations on application's internals or to evaluating risky parameter expressions.</p><div class="confluence-information-macro confluence-information-macro-note"><p class="title">How to disable devMode in production</p><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>Please <strong>always disable <code>devMode</code></strong> before deploying your application to a production environment. While it is disabled by default, your struts.xml might include a line setting it to true. The best way is to ensure
the following setting is applied to our struts.xml for production deployment:</p><pre><span><</span><span style="color: rgb(0,0,128);">constant </span><span style="color: rgb(0,0,255);">name</span><span style="color: rgb(0,128,0);">="struts.devMode" </span><span style="color: rgb(0,0,255);">value</span><span style="color: rgb(0,128,0);">="false"</span><span>/></span></pre></div></div><p> </p><h4 id="Security-UseUTF-8encoding">Use UTF-8 encoding</h4><p>Always use <code>UTF-8</code> encoding when building an application with the Apache Struts 2, when using JSPs please add the following header to each JSP file</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><%@ page contentType="text/html; charset=UTF-8" %></pre>
</div></div><h3 id="Security-Internalsecuritymechanism">Internal security mechanism</h3><p>The Apache Struts 2 contains internal security manager which blocks access to particular classes and Java packages - it's a OGNL-wide mechanism which means it affects any aspect of the framework ie. incoming parameters, expressions used in JSPs, etc.</p><p>There are three options that can be used to configure excluded packages and classes:</p><ul style="list-style-type: square;"><li><code>struts.excludedClasses</code> - comma-separated list of excluded classes</li><li><code>struts.excludedPackageNamePatterns</code> - patterns used to exclude packages based on RegEx - this option is slower than simple string comparison but it's more flexible</li><li><code>struts.excludedPackageNames</code> - comma-separated list of excluded packages, it is used with simple string comparison via <code>startWith</code> and <code>equals</code></li></ul><p>The defaults are as follow:</p><div class="code p
anel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><constant name="struts.excludedClasses"
Added: websites/production/struts/content/docs/version-notes-2326.html
==============================================================================
--- websites/production/struts/content/docs/version-notes-2326.html (added)
+++ websites/production/struts/content/docs/version-notes-2326.html Thu Mar 17 08:32:29 2016
@@ -0,0 +1,168 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<html>
+<head>
+ <link type="text/css" rel="stylesheet" href="https://struts.apache.org/css/default.css">
+ <style type="text/css">
+ .dp-highlighter {
+ width:95% !important;
+ }
+ </style>
+ <style type="text/css">
+ .footer {
+ background-image: url('https://cwiki.apache.org/confluence/images/border/border_bottom.gif');
+ background-repeat: repeat-x;
+ background-position: left top;
+ padding-top: 4px;
+ color: #666;
+ }
+ </style>
+ <link href='https://struts.apache.org/highlighter/style/shCoreStruts.css' rel='stylesheet' type='text/css' />
+ <link href='https://struts.apache.org/highlighter/style/shThemeStruts.css' rel='stylesheet' type='text/css' />
+ <script src='https://struts.apache.org/highlighter/js/shCore.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushPlain.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushXml.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJava.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushJScript.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushGroovy.js' type='text/javascript'></script>
+ <script src='https://struts.apache.org/highlighter/js/shBrushBash.js' type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
+ <script type="text/javascript" language="javascript">
+ var hide = null;
+ var show = null;
+ var children = null;
+
+ function init() {
+ /* Search form initialization */
+ var form = document.forms['search'];
+ if (form != null) {
+ form.elements['domains'].value = location.hostname;
+ form.elements['sitesearch'].value = location.hostname;
+ }
+
+ /* Children initialization */
+ hide = document.getElementById('hide');
+ show = document.getElementById('show');
+ children = document.all != null ?
+ document.all['children'] :
+ document.getElementById('children');
+ if (children != null) {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ }
+
+ function showChildren() {
+ children.style.display = 'block';
+ show.style.display = 'none';
+ hide.style.display = 'inline';
+ }
+
+ function hideChildren() {
+ children.style.display = 'none';
+ show.style.display = 'inline';
+ hide.style.display = 'none';
+ }
+ </script>
+ <title>Version Notes 2.3.26</title>
+</head>
+<body onload="init()">
+<table border="0" cellpadding="2" cellspacing="0" width="100%">
+ <tr class="topBar">
+ <td align="left" valign="middle" class="topBarDiv" align="left" nowrap>
+ <a href="home.html">Home</a> > <a href="guides.html">Guides</a> > <a href="migration-guide.html">Migration Guide</a> > <a href="version-notes-2326.html">Version Notes 2.3.26</a>
+ </td>
+ <td align="right" valign="middle" nowrap>
+ <form name="search" action="https://www.google.com/search" method="get">
+ <input type="hidden" name="ie" value="UTF-8" />
+ <input type="hidden" name="oe" value="UTF-8" />
+ <input type="hidden" name="domains" value="" />
+ <input type="hidden" name="sitesearch" value="" />
+ <input type="text" name="q" maxlength="255" value="" />
+ <input type="submit" name="btnG" value="Google Search" />
+ </form>
+ </td>
+ </tr>
+</table>
+
+<div id="PageContent">
+ <div class="pageheader" style="padding: 6px 0px 0px 0px;">
+ <!-- We'll enable this once we figure out how to access (and save) the logo resource -->
+ <!--img src="/wiki/images/confluence_logo.gif" style="float: left; margin: 4px 4px 4px 10px;" border="0"-->
+ <div style="margin: 0px 10px 0px 10px" class="smalltext">Apache Struts 2 Documentation</div>
+ <div style="margin: 0px 10px 8px 10px" class="pagetitle">Version Notes 2.3.26</div>
+
+ <div class="greynavbar" align="right" style="padding: 2px 10px; margin: 0px;">
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305">
+ <img src="https://cwiki.apache.org/confluence/images/icons/notep_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Edit Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=62687305">Edit Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">
+ <img src="https://cwiki.apache.org/confluence/images/icons/browse_space.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Browse Space"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/listpages.action?key=WW">Browse Space</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_page_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add Page"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=WW&fromPageId=62687305">Add Page</a>
+
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305">
+ <img src="https://cwiki.apache.org/confluence/images/icons/add_blogentry_16.gif"
+ height="16" width="16" border="0" align="absmiddle" title="Add News"></a>
+ <a href="https://cwiki.apache.org/confluence/pages/createblogpost.action?spaceKey=WW&fromPageId=62687305">Add News</a>
+ </div>
+ </div>
+
+ <div class="pagecontent">
+ <div class="wiki-content">
+ <div id="ConfluenceContent"><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> These are the notes for the Struts 2.3.26 distribution.</p><p><img class="emoticon emoticon-tick" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/check.png" data-emoticon-name="tick" alt="(tick)"> For prior notes in this release series, see <a shape="rect" href="version-notes-2320.html">Version Notes 2.3.20</a></p><ul><li>If you are a Maven user, you might want to get started using the <a shape="rect" href="struts-2-maven-archetypes.html">Maven Archetype</a>.</li><li>Another quick-start entry point is the <strong>blank</strong> application. Rename and deploy the WAR as a starting point for your own development.</li><li>There is huge number of examples you can als
o use as a starting point for you application <a shape="rect" class="external-link" href="https://github.com/apache/struts-examples" rel="nofollow">here</a></li></ul><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Maven Dependency</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><dependency>
+ <groupId>org.apache.struts</groupId>
+ <artifactId>struts2-core</artifactId>
+ <version>2.3.26</version>
+</dependency>
+</pre>
+</div></div><p>You can also use Struts Archetype Catalog like below</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Struts Archetype Catalog</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: text; gutter: false; theme: Default" style="font-size:12px;">mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/</pre>
+</div></div><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Staging Repository</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;"><repositories>
+ <repository>
+ <id>apache.nexus</id>
+ <name>ASF Nexus Staging</name>
+ <url>https://repository.apache.org/content/groups/staging/</url>
+ </repository>
+</repositories></pre>
+</div></div><h2 id="VersionNotes2.3.26-InternalChanges">Internal Changes</h2><ul><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Possible XSS vulnerability in pages not using UTF-8 was fixed, read more details in <a shape="rect" href="s2-028.html">S2-028</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png" data-emoticon-name="warning" alt="(warning)"> Prevents possible RCE when reusing user input in tag's attributes, see more details in <a shape="rect" href="s2-029.html">S2-029</a></li><li><img class="emoticon emoticon-warning" src="https://cwiki.apache.org/confluence/s/en_GB/5982/f2b47fb3d636c8bc9fd0b11c0ec6d0ae18646be7.1/_/images/icons/emoticons/warning.png"
data-emoticon-name="warning" alt="(warning)"> <code>I18NInterceptor</code> narrows selected locale to those available in JVM to reduce possibility of another XSS vulnerability, see more details in <a shape="rect" href="s2-030.html">S2-030</a></li><li>New <code>Configurationprovider</code> type was introduced - <a shape="rect" href="configuration-provider-configuration.html">ServletContextAwareConfigurationProvider</a>, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4410">WW-4410</a></li><li>Setting status code in <code>HttpHeaders</code> isn't ignored anymore, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4545">WW-4545</a></li><li>Spring <code>BeanPostProcessor(s)</code> are called only once to constructed objects., see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4554">WW-4554</a></li><li>OGNL was upgraded to vers
ion 3.0.13, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4562">WW-4562</a></li><li>Tiles 2 Plugin was upgraded to latest available Tiles 2 version, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4568">WW-4568</a></li><li>A dedicated assembly with minimal set of jars was defined, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4570">WW-4570</a></li><li>Struts2 Rest plugin properly handles JSESSIONID with DMI, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4585">WW-4585</a></li><li>Improved the Struts2 Rest plugin to honor Accept header, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4588">WW-4588</a></li><li><code>MessageStoreInterceptor</code> was refactored to use <code>PreResultListener</code> to store messages, see <a shape="rect" cl
ass="external-link" href="https://issues.apache.org/jira/browse/WW-4605">WW-4605</a></li><li>A new annotation was added to support configuring Tiles - <code>@TilesDefinition</code>, see <a shape="rect" class="external-link" href="https://issues.apache.org/jira/browse/WW-4606">WW-4606</a></li><li>and many other small improvements, please see the release notes</li></ul><p> </p><div class="confluence-information-macro confluence-information-macro-note"><span class="aui-icon aui-icon-small aui-iconfont-warning confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>This release contains fix related to <a shape="rect" href="s2-028.html">S2-028</a>, <a shape="rect" href="s2-029.html">S2-029</a> and <a shape="rect" href="s2-030.html">S2-030</a> security bulletins, please read it carefully!</p></div></div><h3 id="VersionNotes2.3.26-IssueDetail">Issue Detail</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/se
cure/ReleaseNote.jspa?version=12333842&projectId=12311041">JIRA Release Notes 2.3.26</a></li></ul><h3 id="VersionNotes2.3.26-IssueList">Issue List</h3><ul><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12326872">Struts 2.3.20 DONE</a></li><li><a shape="rect" class="external-link" href="https://issues.apache.org/jira/issues/?filter=12318399">Struts 2.3.x TODO</a></li></ul><h3 id="VersionNotes2.3.26-Otherresources">Other resources</h3><ul><li><a shape="rect" class="external-link" href="http://www.mail-archive.com/commits%40struts.apache.org/" rel="nofollow">Commit Logs</a></li><li><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=struts.git;a=tree;h=refs/heads/develop;hb=develop">Source Code Repository</a></li></ul><div><span style="font-size: 24.0px;line-height: 30.0px;"><br clear="none"></span></div><div><span style="font-size: 24.0px;line-height: 30.0px;background-color: rgb(245,245,245);"><br cl
ear="none"></span></div></div>
+ </div>
+
+
+ </div>
+</div>
+<div class="footer">
+ Generated by CXF SiteExporter
+</div>
+</body>
+</html>