You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2006/02/06 18:30:21 UTC
DO NOT REPLY [Bug 38534] New: - DOS attack, application hack
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
Summary: DOS attack, application hack
Product: Struts
Version: 1.2.7
Platform: Other
OS/Version: other
Status: NEW
Severity: critical
Priority: P5
Component: Action
AssignedTo: dev@struts.apache.org
ReportedBy: abserban@gmail.com
in ActionForm the method getMultipartRequestHandler() is public and gives
access to the request, the implementation CommonsMultipartRequestHandler gives
access to servletContext, and BeanUtils 1.7 gives the posibility to set an
attribute in context. In othwer words the following html code hacks an
application made with struts 1.2.7 and 1.2.8 and bean utils 1.7
<form method="post" enctype="multipart/form-data"
action="http://whateverdotcom/x.do">
<input type="hidden"
name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)"
value="exe"/>
<input type="submit"/>
</form>
It was tested against 1.2.7 and beanutils 1.7 . The source code of 1.2.8 shows
no change.
An work arround is to use a prior 1.7 beanutils
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From paul4christ79@yahoo.com 2006-02-11 03:15 -------
How is this useful in protecting the integrity of the form's data? All that does
is allow a prefix and suffix to be added to a property -- but doesn't that still
allow anyone, who guesses a real property, to still set something in the form
which perhaps the developer does not want? All I see here is decoration, not
security. Please tell me if I am wrong; I want to see how this makes a form
secure from unintended input.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From paul4christ79@yahoo.com 2006-02-11 00:24 -------
>> I guess the simplest solution is to change RequestUtil's populate method to
ignore parameters starting with "multipartRequestHandler."
I've encountered problems like this on all forms. Struts blindly populates the
form with any matching request parameter, but many people also populate forms to
contain the output data. This data the form should never populate.
If we take this particular problem and generalize it, Struts should contain some
sort of hook that allows a form to list which properties it should NEVER
populate. As with all hooks, it should be extensible and customizable. This
could be a callback in a form which returns a map of property names with regex
capabilities.
Any other suggestions? If not a callback on the form to retrieve a map, what
else could we do? I am very interested in this problem too since it affects me
with other classes and I try to actively solve this defect.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-04-12 15:21 -------
(In reply to comment #19)
> This DoS problem has the deep effect.
> I think that struts team should release the fixed binary of all 1.2.X
> (& 1.1?) versions.
We have four 1.2.x "GA" versions (1.2.4, 1.2.7, 1.2.8 and 1.2.9) - is there
any reason why people using earlier 1.2.x "GA" releases can't upgrade to 1.2.9?
Since Struts 1.2.9 only just got the bare minimum of 3 votes to release 1.2.9
it seems pretty certain to me that there will be no other releases of earlier
patched versions of struts for this issue. Even if we *should* do it, it needs
willing committers to want to do it. I don't have any such interest and no-one
else has shown any signs of doing so either.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From antopaul@gmail.com 2006-04-08 08:38 -------
(In reply to comment #1)
> I guess the simplest solution is to change RequestUtil's populate method to
> ignore parameters starting with "multipartRequestHandler."
>
Is this problem specific to Struts or will it affect other
frameworks/applications that use BeanUtils 1.7 ?
Isn't there another list for discussing security related issues ?.
Regards,
Anto Paul
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From paul4christ79@yahoo.com 2006-02-11 02:59 -------
Niall, maybe you can clarify. If the action has a prefix of "pre", what happens?
Does that mean the form properties must all begin with pre? Or if I say
<html:text name="foo"> it outputs <input name="prefoo"/> ?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-11 00:43 -------
(In reply to comment #3)
> I've encountered problems like this on all forms. Struts blindly populates
the
> form with any matching request parameter, but many people also populate
forms to
> contain the output data. This data the form should never populate.
> If we take this particular problem and generalize it, Struts should contain
some
> sort of hook that allows a form to list which properties it should NEVER
> populate.
You can set a prefix and/or suffix on the action mapping to control which
parameters are populated. Does that not satisfy this?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-11 03:36 -------
No you're probably right - if someone guesses the prefix/suffix that are being
used from other form properties they can still hack around it....
myBean.multipartRequestHandler.servlet.servletContext.attribute.populate
but they would have to guess that prefix/suffixes we're being used
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From kare@w4.dion.ne.jp 2006-04-07 16:32 -------
This DoS problem has the deep effect.
I think that struts team should release the fixed binary of all 1.2.X(& 1.1?)
versions.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From paul4christ79@yahoo.com 2006-02-11 03:48 -------
In Struts 2.x, I would advocate Java 5 annotations to say which properties are
populatable (if that's a word). Since 2.x marries the form/action together and
in a POJO, I could see more people taking interest in preventing this kind of
behavior.
For the 1.x branch, I think the easiest solution is to create a blacklist of
properties to avoid (getPropertyBlackList)... or a white list
(getPropertyWhiteList). Hey, I like developer options. I have think there is a
need for these things -- both are purely optional and can be used either to say
null, some properties, a single everything element (wildcard asterik).
Or we could go more into details such as saying what level of nesting is
appropriate. Perhaps I only want to limit to one-level; that would solve the
problem attached to this ticket.
Summary:
[1] Whitelist of properties
[2] Blacklist of properties
[3] Annotations
[4] Nesting level
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From bayard@apache.org 2006-02-15 23:39 -------
Patch created against the 1.2 branch - apologies for not mentioning that.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From paul4christ79@yahoo.com 2006-02-11 17:12 -------
So you don't want to patch 1.2?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-03-09 04:19 -------
Spotted a problem with this change - if the max file size is exceeded, the
MultipartRequestHandler in the ActionForm is missing - corrected in the trunk
and 1.2.x branch:
http://svn.apache.org/viewcvs?rev=384421&view=rev
http://svn.apache.org/viewcvs?rev=384422&view=rev
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-11 00:41 -------
(In reply to comment #2)
> Do we want to depreciate the method for 1.3.0, then?
The only place its referenced in Struts is in the RequestProcessor's
processValidate() method and the corresponding Command (ValidateActionForm)
which call the MultipartRequestHandler's rollback() method in the event of
validation errors. If we can provide another mechanism to get hold of the
MultipartRequestHandler (cache it in the request?) then that should resolve
that.
On an interesting aside - the CommonsMultipartRequestHandler has a finish()
method - which calls rollback() to clean up - the comment on the method
says "Cleans up at the end of a request" - but I can't see thats its called
anywhere.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-11 03:08 -------
Say you have the following in youe struts-config.xml:
<action path="..." type="..." prefix="myBean." suffix=".populate" >
...
</action>
And you had a field on your form...
<input type="text" name="myBean.customerName.populate" />
Then struts will only populate parameters that start with "myBean." and end
with ".populate" and it strips off the suffix and prefix - so it will try and
populate a property named "customerName" on your ActionForm in this example.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From husted@apache.org 2006-02-10 20:11 -------
Do we want to depreciate the method for 1.3.0, then?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From bayard@apache.org 2006-02-15 23:37 -------
Created an attachment (id=17709)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17709&action=view)
Unit Test patch to test issue 38534
Attached is a patch containing a unit test for issue 38534. In particular it
contains the unit test, a class for use in the unit test, a
MockMultipartRequestHandler, improvements to the MockHttpServletRequest and the
necessary additions to the build-tests.xml and project.xml to run the test.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-11 07:03 -------
Changing / customizing the form population mechanism will be much easier if
the multipart changes I just proposed are implemented - see Bug 38613.
If you look at the changes proposed to AbstractPopulateActionForm it no longer
uses RequestUtils.populate (just calls BeanUtils.populate() directly and its
in a new method that can be easily overriden:
protected void populate(ActionContext context,
Map properties, ActionForm actionForm)
throws Exception {
// Populate the Form
BeanUtils.populate(actionForm, properties);
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-15 05:04 -------
Fixed in the 1.2.x branch:
http://svn.apache.org/viewcvs?rev=377929&view=rev
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
niallp@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From niallp@apache.org 2006-02-22 04:35 -------
Ported the fix for this bug to the current trunk (1.3.x series), including the
test case and mock object provided by Henri
http://svn.apache.org/viewcvs?rev=379661&view=rev
Closing as FIXED
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-10 18:25 -------
I guess the simplest solution is to change RequestUtil's populate method to
ignore parameters starting with "multipartRequestHandler."
IMO, longer term we should remove that method from ActionForm - not sure why
its there at all.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38534] - DOS attack, application hack
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38534>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
------- Additional Comments From niallp@apache.org 2006-02-22 04:34 -------
(In reply to comment #14)
Thanks for the test case and new mock MultipartRequestHandler - I applied a
slighty modified version of the test and made some other cosmetic changes to
keep in line with the current trunk.
http://svn.apache.org/viewcvs?rev=379660&view=rev
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org