Re: [ANN] Struts 2.3.15.2 GA release available - security fix

From: Emi Lu <emilu@encs.concordia.ca>
To: Struts Users Mailing List <user@struts.apache.org>
Cc: Lukasz Lenart <lukaszlenart@apache.org>,Struts Developers List <dev@struts.apache.org>,announcements@struts.apache.org,security@apache.org <security@apache.org>,full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: Re: [ANN] Struts 2.3.15.2 GA release available - security fix
Date:


Good morning,

Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:


(1) jsp:
<s:form
    name    = "loginForm"
    namespace= "/Login"
    action   = "ProcessLoginAction"
    method   = "post"
    theme="simple"
 >

<s:submit value="Login"
           theme="simple"
           action="loginProcessLoginAction" />   --- never call 
loginProcessLoginAction



(2) struts.xml
<package name="Login" namespace="/Login" extends="tiles-default">
<action name="*ProcessLoginAction"  method="{1}" class="ProcessLoginAction">
   <result name="success"   type="tiles">main_menu</result>
   <result name="ajax_check" >
   /WEB-INF/pages/errorinfo/ajax_error_check.jsp
   </result>
</action>


(3) ProcessLoginAction.java
    public String login() throws Exception
    {
       try
       {
         ......
       }catch(Exception e)
       {
          log.error("login Error: " + e.getMessage());
          log.error(e);
          this.addActionError("login Error: " + e.getMessage());
       }
       return "success";
    }


The problem is that "loginProcessLoginAction in jsp page" is never be 
called.

Could you help?
Thanks,
Emi



On 09/21/2013 12:06 PM, Lukasz Lenart wrote:
> The Apache Struts group is pleased to announce that Struts 2.3.15.2 is
> available as a "General Availability" release.The GA designation is
> our highest quality grade.
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> This release includes important security fixes:
> - S2-018 - Broken Access Control Vulnerability in Apache Struts2
> - S2-019 - Dynamic Method Invocation disabled by default
>
> All developers are strongly advised to update existing Struts 2
> applications to Struts 2.3.15.2
>
> Struts 2.3.15.2 is available in a full distribution, or as separate
> library, source, example and documentation distributions, from the
> releases page.
> * http://struts.apache.org/download.cgi#struts23152
>
> The release is also available from the central Maven repository under
> Group ID "org.apache.struts".
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions:
> * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
> * Java 2 Standard Platform Edition (J2SE) 5
>
> The release notes are available online at:
> * http://struts.apache.org/release/2.3.x/docs/version-notes-23152.html
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.appropriate, file a tracking
> ticket:
> * https://issues.apache.org/jira/browse/WW
>
>
> - The Apache Struts group.
>
>
> Regards
>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.