2014-04-29 15:55 GMT+02:00 Alireza Fattahi :
> Hi,
>
> As mentioned in
> http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
> The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
> I am not a Tapestry guy, but I want to know if above is correct.
> As far as
Switch off devMode and check again.
2014-04-30 2:08 GMT+02:00 John Boyer :
> Martin et. al.:
>
> Yes, the examples seem to run fine. And my code worked fine in version
> 2.3.4.1. However, after upgrading from Struts 2.3.4.1 to 2.3.16.2, I get the
> following error:
>
> 2014-04-29 15:28:56,950 WA
Martin et. al.:
Yes, the examples seem to run fine. And my code worked fine in version 2.3.4.1.
However, after upgrading from Struts 2.3.4.1 to 2.3.16.2, I get the following
error:
2014-04-29 15:28:56,950 WARN ...ParametersInterceptor.warn:56 - Parameter
[struts.token.name] is on the excludeP
Hello Struts users community,
Looking into this URL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050, it states a
security vulnerability for Apache Commons FileUpload before 1.3.1.
I'm using Struts v1.3 which bundles commons-fileupload-1.1.1.jar and the
question I have is whether I
Hello:
I'm upgrading from Struts 2.3.4.1 to Struts 2.3.16.2. I've found that my
previous solution for preventing double submits no longer works.
I get the following warning:
...ParametersInterceptor.warn:56 - Parameter [struts.token.name] is on the
excludeParams list of patterns!
It's unclear
Hi Satish,
> Thanks Lukas. Correct me If I'm wrong.. struts-2.3.16.2 is supposed to
> contain the previous fixes as well , is it not the case? If that's not
> the case how to get the jar's with the fixes.
Struts 2.3.16.2 does include previous fixes. That is most probably the
reason for the issu
Hi,
As mentioned in
http://www.disasterarea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
I am not a Tapestry guy, but I want to know if above is correct.
As far as I know the ${} is part of JSLT and it does not depend on a
Thanks Lukas. Correct me If I'm wrong.. struts-2.3.16.2 is supposed to
contain the previous fixes as well , is it not the case? If that's not
the case how to get the jar's with the fixes.
On Tue, Apr 29, 2014 at 9:47 PM, Lukasz Lenart wrote:
> You missed three versions in between, please read
You missed three versions in between, please read version notes of each.
2014-04-29 15:45 GMT+02:00 satish jupalli :
> Hi,
>
>
> We are facing issue with the latest struts upgrade. (From struts-2.3.15.1
> to struts-2.3.16.2). Did the latest patch changed anything? Everything was
> running fine bef
Hi,
We are facing issue with the latest struts upgrade. (From struts-2.3.15.1
to struts-2.3.16.2). Did the latest patch changed anything? Everything was
running fine before upgrade. My app is running on Tomcat 7.0.42.
com.opensymphony.xwork2.config.ConfigurationException: There is no Action
ma
HI
i'm trying to integrate .jasper file to my struds project
i am new to this
please help me
please let me know the configuration what i need to do
thanks in advance
Manju
--
View this message in context:
http://struts.1045723.n5.nabble.com/unable-to-integrate-jasper-file-to-my-str
Hello,
Is there a simple way to display dynamically in a JSP,
the 2.3.16.2 version of struts2-core-2.3.16.2.jar ( from META_INF / MANIFEST.MF)
without knowing the name and the number of the jar file ?
Chris
The Apache Struts project team confirms that Struts 1 in all versions is
affected by a ClassLoader manipulation vulnerability similar to a
recently fixed vulnerability in Struts 2 (CVE-2014-0112, CVE-2014-0094) [1].
This is a different underlying flaw. For future reference, please use
CVE-2014-011
2014-04-29 3:59 GMT+02:00 John Boyer :
> Hello:
>
> I'm upgrading from Struts 2.3.4.1 to Struts 2.3.16.2. I've found that some of
> my actions no longer work due to the excludeParams restrictions.
>
> For example, I get the following warning:
>
> ...ParametersInterceptor.warn:56 - Parameter [actio
14 matches
Mail list logo
