struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Struts Two <>
Subject Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
Date Wed, 10 Sep 2008 16:09:07 GMT
I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it still remains
an issue for Struts (for Websphere users). See the email below: 

----- Original Message ----
From: Rene Gielen <>
To: Struts Users Mailing List <>
Sent: Wednesday, July 16, 2008 2:40:38 AM
Subject: [ANN] Struts General Availability Release with Important Security Fix
Apache Struts 2.0..11.2 is now available from
This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at
There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  <interceptor-ref name="params">
      <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  <interceptor-ref name="params">
      <param name="excludeParams">.*\\.*</param>
Both issues will be addressed in a soon upcoming XWork 2..0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.
* All developers are advised to either update Struts 2 applications to
Struts or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.
For the complete release notes for Struts, see

- The Apache Struts Team.

Connect with friends from any web browser - no download required. Try the new Yahoo! Canada
Messenger for the Web BETA at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message