You can create one abstract package and all other packages can inherit
from it - the same as you inherit from "tiles-default"
2014-04-25 15:52 GMT+02:00 <em...@cse.concordia.ca>:
> Hello List,
>
> Need your confirmation for [1] mitigation. For example, package: p1, p2...
> pN, for each package, I should do the following, right?
>
> Do I miss anything or is there a way that can patch one place and cover all
> packages instead of doing p1... PN?
>
>
> (a) struts1.xml
> <package name="p1" namespace="/n1" extends="tiles-default">
>
> <result-types>
> <result-type name="tiles"
> class="org.apache.struts2.views.tiles.TilesResult" />
> </result-types>
>
> <interceptors>
> <interceptor-stack name="secureDefaultStack">
> <interceptor-ref name="defaultStack">
> <param
> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
> </interceptor-ref>
> </interceptor-stack>
> </interceptors>
>
> <default-interceptor-ref name="secureDefaultStack" />
> <action name= ....>
> ......
> </package>
> ......
> ......
>
> (N) strutsN.xml
> <package name="pN" namespace="/nN" extends="tiles-default">
>
> <result-types>
> <result-type name="tiles"
> class="org.apache.struts2.views.tiles.TilesResult" />
> </result-types>
>
> <interceptors>
> <interceptor-stack name="secureDefaultStack">
> <interceptor-ref name="defaultStack">
> <param
> name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
> </interceptor-ref>
> </interceptor-stack>
> </interceptors>
>
> <default-interceptor-ref name="secureDefaultStack" />
> <action name= ....>
> ......
> </package>
>
>
>
>
> On 04/24/2014 02:39 PM, Rene Gielen wrote:
>>
>> Yes.
>>
>> Am 24.04.14 19:37, schrieb em...@cse.concordia.ca:
>>>
>>> Hello List,
>>>
>>> I am using tiles-default:
>>> <struts>
>>> <package name="Example" namespace="/Action/Example"
>>> extends="tiles-default">
>>> <result-types>
>>> <result-type name="tiles"
>>> class="org.apache.struts2.views.tiles.TilesResult" />
>>> </result-types>
>>>
>>> <action name="*ProcessExampleAction" method="{1}"
>>> class="ExampleAction">
>>> <result name="success" type="tiles">success_gui</result>
>>> <result name="ajax_check">
>>> /WEB-INF/pages/errorinfo/ajax_error_check.jsp
>>> </result>
>>> </action>
>>> Do I need this update below as well? Thank you!
>>>
>>> On 04/24/2014 11:32 AM, Rene Gielen wrote:
>>>>
>>>> In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
>>>> parameters was supposed to be resolved. Unfortunately, the correction
>>>> wasn't sufficient.
>>>>
>>>> A security fix release fully addressing this issue is in preparation and
>>>> will be released as soon as possible.
>>>>
>>>> Once the release is available, all Struts 2 users are strongly
>>>> recommended to update their installations.
>>>>
>>>> * Until the release is available, all Struts 2 users are strongly
>>>> recommended to apply the mitigation described [1] *
>>>>
>>>> Please follow the Apache Struts announcement channels [2][3][4][5] to
>>>> stay updated regarding the upcoming security release. Most likely the
>>>> release will be available within the next 72 hours. Please prepare for
>>>> upgrading all Struts 2 based production systems to the new release
>>>> version once available.
>>>>
>>>> - The Apache Struts Team.
>>>>
>>>> [1] http://struts.apache.org/announce.html#a20140424
>>>> [2] http://struts.apache.org/mail.html
>>>> [3] http://struts.apache.org/announce.html
>>>> [4] https://plus.google.com/+ApacheStruts/posts
>>>> [5] https://twitter.com/TheApacheStruts
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
