struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bobby Mitch <cel...@yahoo.com>
Subject Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
Date Wed, 10 Sep 2008 21:01:14 GMT
Thanks.
Applying the workaround with Struts 2.0.11.1 and XWorks 2.0.4, and modifying struts.xml by
adding the interceptor-ref tag does not work:

22:58:02,671 ERROR [[default]] Servlet.service() for servlet default threw exception
java.lang.IllegalArgumentException: URI scheme is not "file"
    at java.io.File.<init>(Unknown Source)
    at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314)
    at com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder.java:149)
    at com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113)
    at com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100)
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142)
    at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148)
    at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48)
    at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)
    at com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223)
    at com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)
    at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)


I guess it is game over until a new working release comes out ...


--- On Wed, 9/10/08, Struts Two <strutstwo@yahoo.ca> wrote:
From: Struts Two <strutstwo@yahoo.ca>
Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
To: "Struts Users Mailing List" <user@struts.apache.org>
Date: Wednesday, September 10, 2008, 9:09 AM

I believe the issue should be fixed on 2.1.2 (for Websphere at least), but it
still remains an issue for Struts 2.0.11.2 (for Websphere users). See the email
below: 

----- Original Message ----
From: Rene Gielen <rgielen@apache.org>
To: Struts Users Mailing List <user@struts.apache.org>
Sent: Wednesday, July 16, 2008 2:40:38 AM
Subject: [ANN] Struts 2.0.11.2 General Availability Release with Important
Security Fix
Apache Struts 2.0..11.2 is now available from
<http://struts.apache.org/download.cgi#struts20112>.
This release is a fast track security fix release, including a security
fixed version 2.0.5 of XWork, which corrects a serious vulnerability in
ParametersInterceptor allowing malicious users to remotely change server
side context objects. For more information about the exploit, visit our
security bulletins page at
<http://struts.apache.org/2.0.11.2/docs/s2-003.html>.
IMPORTANT ADDITIONAL NOTES:
There are two known issues with this release:
1. the integrated XWork 2.0.5 jar may cause problems when used in a
combination of WebSphere 6.1 runtime environments with validation
configuration via XML files.
Possible Workarounds:
- use annotation based validation definition instead XML based
- stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
  following exclude rule to your parameter interceptor refs in
  struts.xml
  <interceptor-ref name="params">
      <param
name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
  </interceptor-ref>
2. the filtering mechanism implemeted in XWork's ParametersInterceptor
to fix the described security issue does not completely avoid any
possible malicious parameter name.
Possible Workaround:
- apply the following exclude rule to your parameter interceptor refs in
  struts.xml to avoid the usage of backslash characters in parameter
  names
  <interceptor-ref name="params">
      <param
name="excludeParams">.*\\.*</param>
  </interceptor-ref>
Both issues will be addressed in a soon upcoming XWork 2..0.6 release,
followed by a new Struts 2.0 GA release including this new XWork version.
* All developers are advised to either update Struts 2 applications to
Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar with the
fixed xwork-2.0.5.jar to prevent remotety induced context manipulations.
For the complete release notes for Struts 2.0.11.2, see
<http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.

- The Apache Struts Team.


      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the new
Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org




      
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message