Thanks. Applying the workaround with Struts 2.0.11.1 and XWorks 2.0.4, and modifying struts.xml by adding the interceptor-ref tag does not work:
22:58:02,671 ERROR [[default]] Servlet.service() for servlet default threw exception java.lang.IllegalArgumentException: URI scheme is not "file" at java.io.File.<init>(Unknown Source) at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314) at com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224) at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575) at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder.java:149) at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113) at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100) at com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142) at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148) at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86) at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224) at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223) at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221) I guess it is game over until a new working release comes out ... --- On Wed, 9/10/08, Struts Two <[EMAIL PROTECTED]> wrote: From: Struts Two <[EMAIL PROTECTED]> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file") To: "Struts Users Mailing List" <user@struts.apache.org> Date: Wednesday, September 10, 2008, 9:09 AM I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it still remains an issue for Struts 2.0.11.2 (for Websphere users). See the email below: ----- Original Message ---- From: Rene Gielen <[EMAIL PROTECTED]> To: Struts Users Mailing List <user@struts.apache.org> Sent: Wednesday, July 16, 2008 2:40:38 AM Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix Apache Struts 2.0..11.2 is now available from <http://struts.apache.org/download.cgi#struts20112>. This release is a fast track security fix release, including a security fixed version 2.0.5 of XWork, which corrects a serious vulnerability in ParametersInterceptor allowing malicious users to remotely change server side context objects. For more information about the exploit, visit our security bulletins page at <http://struts.apache.org/2.0.11.2/docs/s2-003.html>. IMPORTANT ADDITIONAL NOTES: There are two known issues with this release: 1. the integrated XWork 2.0.5 jar may cause problems when used in a combination of WebSphere 6.1 runtime environments with validation configuration via XML files. Possible Workarounds: - use annotation based validation definition instead XML based - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the following exclude rule to your parameter interceptor refs in struts.xml <interceptor-ref name="params"> <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param> </interceptor-ref> 2. the filtering mechanism implemeted in XWork's ParametersInterceptor to fix the described security issue does not completely avoid any possible malicious parameter name. Possible Workaround: - apply the following exclude rule to your parameter interceptor refs in struts.xml to avoid the usage of backslash characters in parameter names <interceptor-ref name="params"> <param name="excludeParams">.*\\.*</param> </interceptor-ref> Both issues will be addressed in a soon upcoming XWork 2..0.6 release, followed by a new Struts 2.0 GA release including this new XWork version. * All developers are advised to either update Struts 2 applications to Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the fixed xwork-2.0.5.jar to prevent remotety induced context manipulations. For the complete release notes for Struts 2.0.11.2, see <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>. - The Apache Struts Team. __________________________________________________________________ Connect with friends from any web browser - no download required. Try the new Yahoo! Canada Messenger for the Web BETA at http://ca.messenger.yahoo.com/webmessengerpromo.php --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
