| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Sep 2013 10:23:43 -0400
From: Emi Lu <emilu@...s.concordia.ca>
To: Struts Users Mailing List <user@...uts.apache.org>
CC: Lukasz Lenart <lukaszlenart@...che.org>,
Struts Developers List <dev@...uts.apache.org>,
announcements@...uts.apache.org,
"security@...che.org" <security@...che.org>,
full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Good morning,
Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
(1) jsp:
<s:form
name = "loginForm"
namespace= "/Login"
action = "ProcessLoginAction"
method = "post"
theme="simple"
>
<s:submit value="Login"
theme="simple"
action="loginProcessLoginAction" /> --- never call
loginProcessLoginAction
(2) struts.xml
<package name="Login" namespace="/Login" extends="tiles-default">
<action name="*ProcessLoginAction" method="{1}" class="ProcessLoginAction">
<result name="success" type="tiles">main_menu</result>
<result name="ajax_check" >
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
</result>
</action>
(3) ProcessLoginAction.java
public String login() throws Exception
{
try
{
......
}catch(Exception e)
{
log.error("login Error: " + e.getMessage());
log.error(e);
this.addActionError("login Error: " + e.getMessage());
}
return "success";
}
The problem is that "loginProcessLoginAction in jsp page" is never be
called.
Could you help?
Thanks,
Emi
On 09/21/2013 12:06 PM, Lukasz Lenart wrote:
> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
> available as a "General Availability" release.The GA designation is
> our highest quality grade.
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> This release includes important security fixes:
> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
> - S2-019 - Dynamic Method Invocation disabled by default
>
> All developers are strongly advised to update existing Struts 2
> applications to Struts 2.3.15.2
>
> Struts 2.3.15.2 is available in a full distribution, or as separate
> library, source, example and documentation distributions, from the
> releases page.
> * http://struts.apache.org/download.cgi#struts23152
>
> The release is also available from the central Maven repository under
> Group ID "org.apache.struts".
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions:
> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
> * Java 2 Standard Platform Edition (J2SE) 5
>
> The release notes are available online at:
> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.appropriate, file a tracking
> ticket:
> * https://issues.apache.org/jira/browse/WW
>
>
> - The Apache Struts group.
>
>
> Regards
>
Powered by blists - more mailing lists