S2-064: CVE-2023-34396: Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms

McClain (finder) References: https://cwiki.apache.org/confluence/display/WW/S2-064 https://struts.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-34396 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional

S2-063: CVE-2023-34149: Apache Struts: DoS via OOM owing to not properly checking of list bounds

McClain (finder) References: https://cwiki.apache.org/confluence/display/WW/S2-063 https://struts.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-34149 - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional

Re: [S2] getOutputStream() has already been called error?

Thanks Lukasz - I will give that a try! On Sun, Mar 15, 2020 at 12:43 PM Lukasz Lenart wrote: > wt., 10 mar 2020 o 15:35 Burton Rhodes > napisał(a): > > > > > > > > > > > > true > >

Re: [S2] getOutputStream() has already been called error?

wt., 10 mar 2020 o 15:35 Burton Rhodes napisał(a): > > > > > > true > ERROR > I would move your "exceptionInterceptor" to be the very first interceptor in the

[S2] getOutputStream() has already been called error?

I am trying to track down a bug in my Struts application and am having difficulty understanding the cause. Only about once per week, I get an "getOutputStream() has already been called" error - see stack trace below. Anyone experienced this before (and found a solution)? I have included my struts

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/21/2018 3:05 PM, Martin Gainty wrote: > i could'nt find it in servlet-api spec? > > https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html > > HttpServletResponse (Servlet 3.1 API Documentation > ...

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

struts2 supported ATG Dynamo sendLocalRedirect Thanks for the clarification Regards Martin Gainty __ From: Yasser Zamani on behalf of Yasser Zamani Sent: Wednesday, April 18, 2018 2:57 AM To: user@struts.apach

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/18/2018 5:27 PM, Martin Gainty wrote: > MG2>some confusion on where session is accessed > * available. This is because actions are built on a single-thread model. The > * only way to pass data is through the session > MG2>with chain interceptor No it didn't mean "with chain interceptor" t

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

MG2>some confusion on where session is accessed From: Yasser Zamani on behalf of Yasser Zamani Sent: Wednesday, April 18, 2018 2:57 AM To: user@struts.apache.org Subject: Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/18/2018 1:21 AM, Martin Gainty wrote: > MG>AFAIK a redirect terminates the old session and creates a new session I think redirect to same domain:ip in same browser tab page should keep session. > MG>a better alternative is to implement ChainingInterceptor with type="chain"> e.g. As Strut

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

From: Burton Rhodes Sent: Tuesday, April 17, 2018 7:23 AM To: Struts Users Mailing List Subject: Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh? That's a great thought. I think the session method makes more sense. O

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/17/2018 3:53 PM, Burton Rhodes wrote: > That's a great thought. I think the session method makes more sense. Glad to hear :) thanks! I would like to add that you also can delete ExecAndWait interceptor. Then just save posted data in db and immediately send a thank you message to your user.

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

That's a great thought. I think the session method makes more sense. On Tue, Apr 17, 2018 at 2:12 AM, Yasser Zamani wrote: > > > On 4/17/2018 6:42 AM, Burton Rhodes wrote: > > Also, How would I include everything except the email body field with the > > s:url tag? > > Unfortunately, I couldn't

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/17/2018 6:42 AM, Burton Rhodes wrote: > Also, How would I include everything except the email body field with the > s:url tag? Unfortunately, I couldn't find a simple way :( However, as a workaround, instead, in your email form jsp, could you put the email body field as a POST param and th

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

Yes. I believe this is the case. Let me see if I can track down an example that breaks. Right now I just have reports of this happening but I haven’t been able to reproduce on my end yet. Also, How would I include everything except the email body field with the s:url tag? Thanks, Burton On Mond

Re: [S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

On 4/15/2018 11:39 PM, Burton Rhodes wrote: > I have been getting "Bad Request" or "URL too long" errors on occasion for > an email form that uses the execute and wait interceptor. I am using the > to resubmit the form per the documentation. > > "/> > > However, the original form submits via

[S2] ExecuteAndWait Interceptor // Only re-submit token parameters on refresh?

I have been getting "Bad Request" or "URL too long" errors on occasion for an email form that uses the execute and wait interceptor. I am using the to resubmit the form per the documentation. "/> However, the original form submits via POST and the meta tag uses GET which I believe is the source

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

2017-12-12 16:22 GMT+01:00 upendar devu : > could someone please confirm what Jackson databind versions are impacted ? > we are using 2.7.1 version . Here is a list [1] of unimpacted versions, which means any other are impacted [1] https://github.com/FasterXML/jackson-databind/issues/1599#issuec

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

ected by the CVE but I think you > are right and mostly it will be jackson-databind only. > > >> Please read the bulletin [1] and apply possible > >> solutions. This vulnerability impacts anyone using the vulnerable > >> Jackson JSON library (not only Struts users). &

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

;> Jackson JSON library (not only Struts users). >> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055 > > So, if do not use the above jars, it should be fine? Yes Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --

Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

tions. This vulnerability impacts anyone using the vulnerable Jackson JSON library (not only Struts users). [1] https://cwiki.apache.org/confluence/display/WW/S2-055 So, if do not use the above jars, it should be fine? Thanks. ---

[ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)

Hi, After further clarification we increased impact of a vulnerability reported to us and described as S2-055 to High. The vulnerability exists in a JSON Jackson library and it's registered under CVE-2017-7525. Please read the bulletin [1] and apply possible solutions. This vulnerability im

Re: Struts 2.3.X Impacted by S2-055?

ion is vulnerable as well. Also, 2.3.x series is using json-lib as a default JSON handler implementation which means it's impacted by [2] [1] https://github.com/apache/struts/blob/support-2-3/plugins/rest/pom.xml#L52 [2] https://cwiki.apache.org/confluence/display/WW/S2-054 Regards -- Łuka

Re: Struts 2.3.X Impacted by S2-055?

On 12/8/2017 9:41 PM, info...@unixcert.net wrote: > It looks like the Jackson-databind issue is only associated with 2.5.X > versions of Struts. It's only with 2.5.14. Addressed in 2.5.14.1. But both 2.5.(x<14) and 2.3.x are impacted by S2-054. > I just want to confirm th

Struts 2.3.X Impacted by S2-055?

It looks like the Jackson-databind issue is only associated with 2.5.X versions of Struts. I just want to confirm that 2.3.X versions are not. Thanks, Adrian - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For a

Struts 2.3.X Impacted by S2-055?

It looks like the Jackson-databind issue is only associated with 2.5.X versions of Struts. I just want to confirm that 2.3.X versions are not. Thanks, Adrian - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For a

Re: Security Bulletin S2-055

Thank you for clarifying this, it wasn't clear to me what kind of issue was that Jackson vulnerability. Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2017-12-08 2:09 GMT+01:00 : > Hello, > > I think it would be appropriate to update the Impact of Vulnerability to > indicat

Security Bulletin S2-055

Hello, I think it would be appropriate to update the Impact of Vulnerability to indicate that this issue could be used for remote code execution. The conversation in the Jackson Project Issues: https://github.com/FasterXML/jackson-databind/issues/1599 and articles such as https://adamcaudill.c

Re: Struts 2.3 fix for s2-052?

2017-09-06 18:40 GMT+02:00 William Stranathan : > Any ETA? Under way to the Central and mirrors Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For addi

Re: Struts 2.3 fix for s2-052?

Any ETA? On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email where you gave the dist URL for the dev > release. > > > > This is the release that I should use for 2.3 right? > > > > https://dist.apache.org/repos/di

Re: Struts 2.3 fix for s2-052?

Incidentally, the wiki points out that 2.3 is vulnerable, but http://struts.apache.org/docs/s2-052.html still only states 2.5. On Wed, Sep 6, 2017 at 10:15 AM Lukasz Lenart wrote: > 2017-09-06 16:12 GMT+02:00 Emi : > > Hello, > >> > >> I finally read your email wher

Re: Struts 2.3 fix for s2-052?

2017-09-06 16:12 GMT+02:00 Emi : > Hello, >> >> I finally read your email where you gave the dist URL for the dev release. > > This is the release that I should use for 2.3 right? > > https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Yes, it should be officially released and announced soon R

Re: Struts 2.3 fix for s2-052?

Hello, I finally read your email where you gave the dist URL for the dev release. This is the release that I should use for 2.3 right? https://dist.apache.org/repos/dist/dev/struts/2.3.34/ Thanks. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I

Re: Struts 2.3 fix for s2-052?

Thanks a lot! 2017-09-06 15:56 GMT+02:00 William Stranathan : > I finally read your email where you gave the dist URL for the dev release. > I tested against the struts2-rest-showcase app, a URL that was vulnerable > in other versions. > > I also manually built just struts2-core, rest-plugin, conf

Re: Struts 2.3 fix for s2-052?

I finally read your email where you gave the dist URL for the dev release. I tested against the struts2-rest-showcase app, a URL that was vulnerable in other versions. I also manually built just struts2-core, rest-plugin, config-browser, and rest-showcase apps, and attempted the exploit against th

Re: Struts 2.3 fix for s2-052?

2017-09-06 12:37 GMT+02:00 Lukasz Lenart : > Here is the full info > http://markmail.org/message/5xuhb2vwc7iagjjr William, how does your test pass? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe,

Re: Struts 2.3 fix for s2-052?

Ah.. right, I forgot about that 2017-09-06 13:11 GMT+02:00 William Stranathan : > And yes, it looks like the Jenkins builds have been failing for quite some > time: > https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console > (that > error message is not too dis

Re: Struts 2.3 fix for s2-052?

2017-09-06 13:04 GMT+02:00 William Stranathan : > Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the > 2.3.34 snapshot of the rest-plugin dated August 12. > > I just did a build of only the bits needed to get the rest-showcase running > (so mvn install, when that fails, mvn in

Re: Struts 2.3 fix for s2-052?

And yes, it looks like the Jenkins builds have been failing for quite some time: https://builds.apache.org/view/S-Z/view/Struts/job/Struts-support-2-3-JDK6/lastBuild/console (that error message is not too dissimilar from the one I get with JDK 7 in the same module). On Wed, Sep 6, 2017 at 7:04 AM

Re: Struts 2.3 fix for s2-052?

Well, I tried with the 2.3.35 Core snapshot (dated September 6), and the 2.3.34 snapshot of the rest-plugin dated August 12. I just did a build of only the bits needed to get the rest-showcase running (so mvn install, when that fails, mvn install -f plugins/rest-plugin/pom.xml, then app/rest-showc

Re: Struts 2.3 fix for s2-052?

2017-09-06 12:31 GMT+02:00 William Stranathan : > Odd - when I tested the snapshots, they were still vulnerable. I'm not able > to get it to build from source (now some odd javac access exception). Strange, do you have a date of the snapshot? Maybe Jenkins stopped publishing them. > Where do I ge

Re: Struts 2.3 fix for s2-052?

MT+02:00 William Stranathan : > > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > > patch available yet. I've tried with the latest snapshots, and those are > > also vulnerable. > > > > Is there a fix for this vulnerability on the 2.3

Re: Struts 2.3 fix for s2-052?

2017-09-06 6:22 GMT+02:00 William Stranathan : > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > patch available yet. I've tried with the latest snapshots, and those are > also vulnerable. > > Is there a fix for this vulnerability on the 2.3 st

Struts 2.3 fix for s2-052?

Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 patch available yet. I've tried with the latest snapshots, and those are also vulnerable. Is there a fix for this vulnerability on the 2.3 stream forthcoming?

[ANN] Apache Struts: S2-049 Security Bulletin update

This is an update of the recently announced Security Bulletin S2-049 - http://struts.apache.org/docs/s2-049.html The bulletin was extended with an additional information when the potential vulnerability can be present in your application. Please re-read the mentioned bulletin and apply required

Re: After upgrade to 2.3.32 and S2-045 attacks

dniu czw., 18.05.2017 o 21:16 Greg Lindholm napisał(a): > I've upgraded to Struts 2.3.32. > Our site is still getting bombarded with S2-045 attacks. > > The application logs are filled with stack traces from these. I notices > that one request is often generating two stack

After upgrade to 2.3.32 and S2-045 attacks

I've upgraded to Struts 2.3.32. Our site is still getting bombarded with S2-045 attacks. The application logs are filled with stack traces from these. I notices that one request is often generating two stack traces. The first is expected and second isn't. First exception (with most of

Re: S2 String Trim Interceptor?

2017-04-21 15:53 GMT+02:00 Burton Rhodes : > Since the invocation.getInvocationContext().getParameters().toMap() method > is now deprecated, how would I refactor my String Trim interceptor to trim > incoming parameters? The HttpParameters parameter objects are designed to > be "immutable". Some p

S2 String Trim Interceptor?

Since the invocation.getInvocationContext().getParameters().toMap() method is now deprecated, how would I refactor my String Trim interceptor to trim incoming parameters? The HttpParameters parameter objects are designed to be "immutable". Some posts online have suggested type converters, but see

Re: Use Filter or ParameterInteceptors to pevent S2-032

; with > > "method:" prefix to prevent S2-032? > > Reference: https://struts.apache.org/docs/s2-032.html > > Yes, you can but bear in mind that this vulnerability affects only > 2.3.20, 2.3.24 and 2.3.28 > > > Regards

Re: Use Filter or ParameterInteceptors to pevent S2-032

2016-04-28 3:59 GMT+02:00 mailinglist rs : > Besides using upgrade or disable Dynamic method invocation, can I use > Filter or ParameterInteceptors to block request parameters which start with > "method:" prefix to prevent S2-032? > Reference: https://struts.apache.org/docs

Use Filter or ParameterInteceptors to pevent S2-032

Besides using upgrade or disable Dynamic method invocation, can I use Filter or ParameterInteceptors to block request parameters which start with "method:" prefix to prevent S2-032? Reference: https://struts.apache.org/docs/s2-032.html

Re: S2: How to tell if a response has been committed from an interceptor?

> Inside an Interceptor I'm getting an exception > > java.lang.IllegalStateException: Cannot create a session after the response > has been committed > I have access to the ActionInvocation as this is passed into doIntercept() > public String doIntercept(ActionInvocation invocation) throws Excep

Re: S2: How to tell if a response has been committed from an interceptor?

Well you go down the chain create the result and then back up the chain. So when going back up the response should already be committed. see: https://struts.apache.org/docs/writing-interceptors.html //modified code from above link to clarify public String intercept(ActionInvocation invocation

S2: How to tell if a response has been committed from an interceptor?

Inside an Interceptor I'm getting an exception java.lang.IllegalStateException: Cannot create a session after the response has been committed I have access to the ActionInvocation as this is passed into doIntercept() public String doIntercept(ActionInvocation invocation) throws Exception My quest

Re: [S2] Trouble getting started [OFF-LIST]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lucasz, On 10/1/15 10:06 AM, Lukasz Lenart wrote: > Works :) > > Just dropped your package into webapps folder (Apache Tomcat 7.0.40 > on JDK8) and all is ok - except list.jsp contains some strange XML > definition (in wrong place) > > http://scr

Re: [S2] Trouble getting started [OFF-LIST]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lucasz, On 10/1/15 10:06 AM, Lukasz Lenart wrote: > Works :) > > Just dropped your package into webapps folder (Apache Tomcat 7.0.40 > on JDK8) and all is ok - except list.jsp contains some strange XML > definition (in wrong place) > > http://scr

Re: [S2] Trouble getting started [OFF-LIST]

I'm not sure what the issue is; it starts up fine for me, except for the bogus XML in list.jsp. On Thu, Oct 1, 2015 at 10:06 AM, Lukasz Lenart wrote: > Works :) > > Just dropped your package into webapps folder (Apache Tomcat 7.0.40 on > JDK8) and all is ok - except list.jsp contains some strang

Re: [S2] Trouble getting started [OFF-LIST]

Works :) Just dropped your package into webapps folder (Apache Tomcat 7.0.40 on JDK8) and all is ok - except list.jsp contains some strange XML definition (in wrong place) http://screencast.com/t/t8s0xyQCHbG4 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ ---

Re: [S2] Trouble getting started [OFF-LIST]

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lucasz, On 9/28/15 2:51 AM, Lukasz Lenart wrote: >>> It's not deployed as a WAR, but as webapps/ROOT (exploded WAR >>> directory). >> >> For completeness, this is what is contained in my ROOT directory >> ("deploy" is my CATALINA_BASE for Tomcat)

Re: [S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Christoph, On 9/28/15 12:11 PM, Christopher Schultz wrote: > Christoph, > > On 9/28/15 6:52 AM, Christoph Nenning wrote: >>> From: Christopher Schultz To: >>> Struts Users Mailing List , Date: >>> 26.09.2015

Re: [S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Christoph, On 9/28/15 6:52 AM, Christoph Nenning wrote: >> From: Christopher Schultz To: >> Struts Users Mailing List , Date: >> 26.09.2015 23:31 Subject: [S2] Trouble getting started >> >> -BEGIN PGP SI

Re: [S2] Trouble getting started

> From: Christopher Schultz > To: Struts Users Mailing List , > Date: 26.09.2015 23:31 > Subject: [S2] Trouble getting started > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > I'm working on a fresh project and using Struts 2 for the

Re: [S2] Trouble getting started

2015-09-28 6:37 GMT+02:00 Yaragalla Muralidhar : > Hi Chris, > I have not checked the DTD. But i got this idea from sample struts2 apps. > I dont think there will be a default value for the "name" attribute. It is, for 'name" and for other parts http://struts.apache.org/docs/result-configuration

Re: [S2] Trouble getting started

>> It's not deployed as a WAR, but as webapps/ROOT (exploded WAR >> directory). > > For completeness, this is what is contained in my ROOT directory > ("deploy" is my CATALINA_BASE for Tomcat): > > deploy/webapps/ROOT > deploy/webapps/ROOT/WEB-INF > deploy/webapps/ROOT/WEB-INF/classes > deploy/weba

Re: [S2] Trouble getting started

n, which to me has too much > opaque hand-waving that I neither understand nor control. > > I have what I believe is a fairly simple test app at this point. I > should be able to get it to work without resorting to drastic measures : > ) Maven isn't that bad and it's a good

Re: [S2] Trouble getting started

Hi Chris, I have not checked the DTD. But i got this idea from sample struts2 apps. I dont think there will be a default value for the "name" attribute. *Thanks and Regards,* Muralidhar Yaragalla. *http://yaragalla.blogspot.in/ * On Sun, Sep 27, 2015 at 9:35 PM,

Re: [S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lucasz, On 9/27/15 12:02 PM, Christopher Schultz wrote: > On 9/27/15 10:08 AM, Lukasz Lenart wrote: >> 2015-09-26 23:30 GMT+02:00 Christopher Schultz >> : >>> I'm working on a fresh project and using Struts 2 for the >>> first time. I've been using

Re: [S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lucaz, On 9/27/15 10:08 AM, Lukasz Lenart wrote: > 2015-09-26 23:30 GMT+02:00 Christopher Schultz > : >> I'm working on a fresh project and using Struts 2 for the first >> time. I've been using Struts 1 for more than 10 years and I >> generally know

Re: [S2] Trouble getting started

2015-09-27 7:38 GMT+02:00 Yaragalla Muralidhar : > Hi Chris, > >Try the following. > > > > /WEB-INF/list.jsp "success" is the default result name so you can omit, it isn't required. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --

Re: [S2] Trouble getting started

2015-09-26 23:30 GMT+02:00 Christopher Schultz : > I'm working on a fresh project and using Struts 2 for the first time. > I've been using Struts 1 for more than 10 years and I generally know > my way around web applications. > > I just can't seem to get a fairly simple setup working. I'm intending

Re: [S2] Trouble getting started

try struts2builder.sourceforge.net On Sunday, September 27, 2015, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Yaragalla, > > On 9/27/15 1:38 AM, Yaragalla Muralidhar wrote: > > Try the following. > > > > > > > *name="succ

Re: [S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yaragalla, On 9/27/15 1:38 AM, Yaragalla Muralidhar wrote: > Try the following. > > > *name="success"* >/WEB-INF/list.jsp No change. Note that I see nothing in the TRACE log for Struts (or, really, anything) when I make the request to http:

Re: [S2] Trouble getting started

Hi Chris, Try the following. /WEB-INF/list.jsp *Thanks and Regards,* Muralidhar Yaragalla. *http://yaragalla.blogspot.in/ * On Sun, Sep 27, 2015 at 3:00 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEG

[S2] Trouble getting started

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm working on a fresh project and using Struts 2 for the first time. I've been using Struts 1 for more than 10 years and I generally know my way around web applications. I just can't seem to get a fairly simple setup working. I'm intending to

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

Wow. Sorry for the typo goose chase! Many many thanks for taking a look. On Fri, Apr 17, 2015 at 12:58 AM, Lukasz Lenart wrote: > First > It has nothing to do with security mechanism > > Second > it's a typo, at least in the example > > > In test.jsp you have > > searchManager.page.totalNum

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

First It has nothing to do with security mechanism Second it's a typo, at least in the example In test.jsp you have searchManager.page.totalNumberOfElements: where in TestAction you are exposing public SearchManagerService getSearchManagerService() { return searchManagerServic

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

Lukasz - Below is a link to a small test project (maven) that demonstrates my issue. Hopefully it's something trivial. Again, thank you for investigating. https://www.dropbox.com/s/qurhklxwz4v82jx/afsTest.zip?dl=0 Thanks, Burton On Mon, Apr 6, 2015 at 6:15 PM, Burton Rhodes wrote: > ok - I

Re: [S2] mvn struts2-archtype-blank broken?

but please remember that you need the plugin only in case you are using Java8 features in action classes with the Convention plugin - in other case it's useless :) 2015-04-09 8:41 GMT+02:00 Tommy Pham : > I did some digging in the Jira and found your discussion of asm 3.3 vs asm > 5.x [1]. I'm go

Re: [S2] mvn struts2-archtype-blank broken?

I did some digging in the Jira and found your discussion of asm 3.3 vs asm 5.x [1]. I'm going to take on your suggestion for the exclusion [2] and use asm 5.x instead to see how it goes. [1] https://issues.apache.org/jira/browse/WW-4347 [2] https://cwiki.apache.org/confluence/display/WW/Java+8+S

Re: [S2] mvn struts2-archtype-blank broken?

2015-04-09 8:07 GMT+02:00 Tommy Pham : > Reviewing history of asm [1], I think it's a bug since asm 4.x added > support for Java 7 and asm 5.x added support for Java 8. Should I file it? > > [1] http://asm.ow2.org/history.html Nope, serie 2.3.x of Struts must support JDK6, with 2.5 we are going t

Re: [S2] mvn struts2-archtype-blank broken?

These two issues should clarify why it was reverted and new plugin to support Java8 was introduced https://issues.apache.org/jira/browse/WW-4435 https://issues.apache.org/jira/browse/WW-4347 2015-04-09 7:47 GMT+02:00 Tommy Pham : > Am I imagining things or is there typo/bug: > > xwork-core 2.3.2

Re: [S2] mvn struts2-archtype-blank broken?

Reviewing history of asm [1], I think it's a bug since asm 4.x added support for Java 7 and asm 5.x added support for Java 8. Should I file it? [1] http://asm.ow2.org/history.html On Wed, Apr 8, 2015 at 10:47 PM, Tommy Pham wrote: > Am I imagining things or is there typo/bug: > > xwork-core 2.

Re: [S2] mvn struts2-archtype-blank broken?

Am I imagining things or is there typo/bug: xwork-core 2.3.20 uses asm 5.0.2 From: 'ObjectWeb' (http://www.objectweb.org/) - ASM Core (http://asm.objectweb.org/asm/) org.ow2.asm:asm:jar:5.0.2 License: BSD (http://asm.objectweb.org/license.html) - ASM Commons (http://asm.objectweb.org/asm

Re: [S2] mvn struts2-archtype-blank broken?

2.3.23 is under test now, you can help as well :) http://markmail.org/thread/oqtssgeesejrobko Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2015-04-09 6:45 GMT+02:00 Tommy Pham : > Hi Lukasz, > > Thanks for the feedback. Do you know what version is the next release? My > curre

Re: [S2] mvn struts2-archtype-blank broken?

Hi Lukasz, Thanks for the feedback. Do you know what version is the next release? My current projects running into a bug regarding clearing the cache in Tomcat 8 that's fixed in 2.3.23. Regards, Tommy On Tue, Apr 7, 2015 at 12:08 AM, Lukasz Lenart wrote: > Yeah... it's broken. I'm fixing it

Re: [S2] mvn struts2-archtype-blank broken?

Yeah... it's broken. I'm fixing it right now and it will be included in a next release. 2015-04-05 22:32 GMT+02:00 Tommy Pham : > Hi folks, > > I just tried adding a maven project in Eclipse Luna (4.4.2) using remote > repository: http://struts.apache.org. The struts2-archetype-blank seems to > b

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

ok - I will get back to you On Fri, Apr 3, 2015 at 1:13 AM, Lukasz Lenart wrote: > No idea what's wrong, without a small working example I cannot help you :( > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > 2015-03-31 22:31 GMT+02:00 Burton Rhodes : > > Lukasz - > > A

[S2] mvn struts2-archtype-blank broken?

Hi folks, I just tried adding a maven project in Eclipse Luna (4.4.2) using remote repository: http://struts.apache.org. The struts2-archetype-blank seems to be broken. Navigating to the web app gives 404 error: HTTP Status 404 - /struts2-blank/WEB-INF/example/HelloWorld.jsp type Status repo

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

No idea what's wrong, without a small working example I cannot help you :( Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2015-03-31 22:31 GMT+02:00 Burton Rhodes : > Lukasz - > Apologies for the delay... Here is my logfile filtered for xwork2.ognl > > https://www.dropbox.com/s/t

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

Lukasz - Apologies for the delay... Here is my logfile filtered for xwork2.ognl https://www.dropbox.com/s/t5u285gel0uu59m/log.ognl.txt?dl=0 Thanks! On Sat, Mar 7, 2015 at 12:40 AM, Lukasz Lenart wrote: > 2015-03-04 13:24 GMT+01:00 Burton Rhodes : > > Lukasz - Probably should have mentioned th

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

2015-03-04 13:24 GMT+01:00 Burton Rhodes : > Lukasz - Probably should have mentioned that > searchMangeerService.getPage().getLastPageNumber() returns an "int" I have added additional use case to check int type but it wasn't an issue. Can you narrow logging just to com.opensymphony.xwork2.ognl

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

Lukasz - Probably should have mentioned that searchMangeerService.getPage().getLastPageNumber() returns an "int" On Mon, Mar 2, 2015 at 2:12 AM, Lukasz Lenart wrote: > 2015-02-27 19:29 GMT+01:00 Burton Rhodes : > > I am having a similar issue as it relates to the new > > excludedPackageNamePatte

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

Sorry for the delay. Here is an excerpt from the log from when this particular page loads. SearchManagerService : custom interface class to perform searches SearchManagerServiceImpl : the implementation class Page: custom class to separate search results into "pages" getLastPageNumber(): is a met

Re: [S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

2015-02-27 19:29 GMT+01:00 Burton Rhodes : > I am having a similar issue as it relates to the new > excludedPackageNamePatterns in 2.3.20 (upgrading from 2.3.16.3). The > following line [1] will not resolve with the excludedPackageNamePatterns > default value, but it will resolve when I clear the

[S2] 2.3.20 upgrade issue: No log warning entry for excluded package?

I am having a similar issue as it relates to the new excludedPackageNamePatterns in 2.3.20 (upgrading from 2.3.16.3). The following line [1] will not resolve with the excludedPackageNamePatterns default value, but it will resolve when I clear the constant in struts.xml. I am wondering why I am no

[S2] How to change "Invalid field value for field" message in tr

Create new file in same package where your action class is defined,."actionclassname.properties" and in that file use this "invalid.fieldvalue.FieldName=give msg for user".it is working also in my case it is working

running s2 in springboot

anyone have try springboot? can we run it on spring boot? or anyone test it? i am still reaseaching this stuff F - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.

Re: Struts 1.x vulnerability to S2-020

2014-04-26 12:41 GMT+02:00 Andrew Brennan : > Hi, > > Can anyone confirm/deny if Struts 1 is vulnerable to this problem? There was an announcement published on this list. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --

Struts 1.x vulnerability to S2-020

Hi, Can anyone confirm/deny if Struts 1 is vulnerable to this problem? Thanks, Andy.

  1   2   3   4   5   6   7   8   9   10   >