struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gabriel Belingueres" <belingue...@gmail.com>
Subject Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
Date Thu, 11 Sep 2008 23:03:10 GMT
replaceAll(" ", "%20") ?
Why not URL-encode it? [1]

[1] http://java.sun.com/j2se/1.5.0/docs/api/java/net/URLEncoder.html

2008/9/11 Bobby Mitch <cel975@yahoo.com>:
> Well,
> I am willing to try then.
>
> Can someone send me that xwork-2.0.4.jar version, recompiled with the modifications described
here on the parseValidators method of the ValidatorFactory class ?
> So that I can replace the xwork jar that ships with it struts-2.0.11.1.jar
>
> Anyways, has this modification been reported on more recent versions of Xwork ?
>
> Thanks
>
>
>
> --- On Thu, 9/11/08, Musachy Barroso <musachy@gmail.com> wrote:
> From: Musachy Barroso <musachy@gmail.com>
> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI scheme is not "file")
> To: "Struts Users Mailing List" <user@struts.apache.org>, cel975@yahoo.com
> Date: Thursday, September 11, 2008, 8:28 AM
>
> I think it is:
>
> java.lang.IllegalArgumentException: URI scheme is not "file"
> at java.io.File.(Unknown Source)
> at com.opensymphony.xwork2.validator.ValidatorFactory.parseValidators(
>
>
> The code used to be this:
>
> URL u = urls.next();
> File f = new File(new URI(u.toExternalForm().replaceAll(" ",
> "%20")));
>
> which would fail because the container was returning some weird urls there,
> and it was changed to:
>
>  try {
>     URI uri = new URI(u.toExternalForm().replaceAll(" ",
> "%20"));
>     if (uri.isOpaque() &&
> "file".equalsIgnoreCase(uri.getScheme())) {
>        File f = new File(uri);
>  .....
>
> I think that is the problem you are having, or I am terribly missing
> something here.
>
>
> On Thu, Sep 11, 2008 at 11:19 AM, Bobby Mitch <cel975@yahoo.com> wrote:
>
>> That is not the same error.
>>
>> --- On Thu, 9/11/08, Musachy Barroso <musachy@gmail.com> wrote:
>> From: Musachy Barroso <musachy@gmail.com>
>> Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI
> scheme
>> is not "file")
>> To: "Struts Users Mailing List" <user@struts.apache.org>,
> cel975@yahoo.com
>> Date: Thursday, September 11, 2008, 7:54 AM
>>
>> A fix in the code I meant:
> https://issues.apache.org/struts/browse/WW-2653.
>> Grabbing the latest xwork from trunk or release branch and building it,
>> should fix your problem.
>>
>> On Thu, Sep 11, 2008 at 10:49 AM, Bobby Mitch <cel975@yahoo.com>
> wrote:
>>
>> > What exactly is the fix for this problem then ?
>> > Thanks
>> >
>> > --- On Thu, 9/11/08, Musachy Barroso <musachy@gmail.com> wrote:
>> > From: Musachy Barroso <musachy@gmail.com>
>> > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error (URI
>> scheme
>> > is not "file")
>> > To: "Struts Users Mailing List"
> <user@struts.apache.org>
>> > Date: Thursday, September 11, 2008, 6:03 AM
>> >
>> > The fix in this case is known.
>> >
>> > musachy
>> >
>> > On Wed, Sep 10, 2008 at 9:30 PM, Struts Two
> <strutstwo@yahoo.ca>
>> wrote:
>> >
>> > > Do not give up, the game is not still over ..... (you can still
> do
>> sth
>> > > about it)
>> > >
>> > > As an alternative, you can import the source code of xwork into
> ur
>> > > workspace and remove xwork the jar file, run your code in debug
> mode,
>> > find
>> > > the culprit, fix it. Then you can replace the class file in
> xwork jar
>> > file
>> > > with the one fixed. That is what I usually do on the last
> resort, and
>> it
>> > is
>> > > garuanteed to work.
>> > >
>> > >
>> > >
>> > > ----- Original Message ----
>> > > From: Bobby Mitch <cel975@yahoo.com>
>> > > To: Struts Users Mailing List <user@struts.apache.org>
>> > > Sent: Wednesday, September 10, 2008 5:01:14 PM
>> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error
> (URI
>> > scheme
>> > > is not "file")
>> > >
>> > > Thanks.
>> > > Applying the workaround with Struts 2.0.11.1 and XWorks 2.0..4,
> and
>> > > modifying struts.xml by adding the interceptor-ref tag does not
> work:
>> > >
>> > > 22:58:02,671 ERROR [[default]] Servlet.service() for servlet
> default
>> > threw
>> > > exception
>> > > java.lang.IllegalArgumentException: URI scheme is not
>> "file"
>> > >     at java.io.File.<init>(Unknown Source)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com..opensymphony.xwork2.validator.ValidatorFactory.parseValidators(ValidatorFactory.java:314)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.ValidatorFactory.<clinit>(ValidatorFactory.java:224)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processRequiredFieldValidatorAnnotation(AnnotationValidationConfigurationBuilder.java:575)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.processAnnotations(AnnotationValidationConfigurationBuilder..java:149)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationValidationConfigurationBuilder.buildAnnotationClassValidatorConfigs(AnnotationValidationConfigurationBuilder.java:783)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildClassValidatorConfigs(AnnotationActionValidatorManager.java:254)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.buildValidatorConfigs(AnnotationActionValidatorManager.java:340)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.getValidators(AnnotationActionValidatorManager.java:69)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:138)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:113)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.AnnotationActionValidatorManager.validate(AnnotationActionValidatorManager.java:100)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.ValidationInterceptor.doBeforeInvocation(ValidationInterceptor.java:142)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:148)
>> > >     at
>> > >
>> >
>> >
>>
>>
> org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:48)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:86)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:224)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.DefaultActionInvocation$2.doProfiling(DefaultActionInvocation.java:223)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.util.profiling.UtilTimerStack.profile(UtilTimerStack.java:455)
>> > >     at
>> > >
>> >
>> >
>>
>>
> com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:221)
>> > >
>> > >
>> > > I guess it is game over until a new working release comes out
> ....
>> > >
>> > >
>> > > --- On Wed, 9/10/08, Struts Two <strutstwo@yahoo.ca>
> wrote:
>> > > From: Struts Two <strutstwo@yahoo.ca>
>> > > Subject: Re: JBoss 5 RC1 and Struts 2 : Simple validation error
> (URI
>> > scheme
>> > > is not "file")
>> > > To: "Struts Users Mailing List"
>> <user@struts.apache.org>
>> > > Date: Wednesday, September 10, 2008, 9:09 AM
>> > >
>> > > I believe the issue should be fixed on 2.1.2 (for Websphere at
>> least),
>> > but
>> > > it
>> > > still remains an issue for Struts 2.0.11.2 (for Websphere
> users). See
>> > the
>> > > email
>> > > below:
>> > >
>> > > ----- Original Message ----
>> > > From: Rene Gielen <rgielen@apache.org>
>> > > To: Struts Users Mailing List <user@struts.apache.org>
>> > > Sent: Wednesday, July 16, 2008 2:40:38 AM
>> > > Subject: [ANN] Struts 2.0.11.2 General Availability Release with
>> > Important
>> > > Security Fix
>> > > Apache Struts 2.0..11.2 is now available from
>> > > <http://struts.apache.org/download.cgi#struts20112>.
>> > > This release is a fast track security fix release, including a
>> security
>> > > fixed version 2.0.5 of XWork, which corrects a serious
> vulnerability
>> in
>> > > ParametersInterceptor allowing malicious users to remotely
> change
>> server
>> > > side context objects. For more information about the exploit,
> visit
>> our
>> > > security bulletins page at
>> > > <http://struts.apache.org/2.0.11.2/docs/s2-003.html>.
>> > > IMPORTANT ADDITIONAL NOTES:
>> > > There are two known issues with this release:
>> > > 1. the integrated XWork 2.0.5 jar may cause problems when used
> in a
>> > > combination of WebSphere 6.1 runtime environments with
> validation
>> > > configuration via XML files.
>> > > Possible Workarounds:
>> > > - use annotation based validation definition instead XML based
>> > > - stay with Struts 2.0..11.1 including XWork 2.0.4, applying the
>> > >   following exclude rule to your parameter interceptor refs in
>> > >   struts.xml
>> > >   <interceptor-ref name="params">
>> > >       <param
>> > >
>> >
>>
> name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
>> > >   </interceptor-ref>
>> > > 2. the filtering mechanism implemeted in XWork's
>> ParametersInterceptor
>> > > to fix the described security issue does not completely avoid
> any
>> > > possible malicious parameter name.
>> > > Possible Workaround:
>> > > - apply the following exclude rule to your parameter interceptor
> refs
>> in
>> > >   struts.xml to avoid the usage of backslash characters in
> parameter
>> > >   names
>> > >   <interceptor-ref name="params">
>> > >       <param
>> > > name="excludeParams">.*\\.*</param>
>> > >   </interceptor-ref>
>> > > Both issues will be addressed in a soon upcoming XWork 2..0.6
>> release,
>> > > followed by a new Struts 2.0 GA release including this new XWork
>> version.
>> > > * All developers are advised to either update Struts 2
> applications
>> to
>> > > Struts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar
> with
>> the
>> > > fixed xwork-2.0.5.jar to prevent remotety induced context
>> manipulations.
>> > > For the complete release notes for Struts 2.0.11.2, see
>> > >
>> <http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html>.
>> > >
>> > > - The Apache Struts Team.
>> > >
>> > >
>> > >
>> __________________________________________________________________
>> > > Connect with friends from any web browser - no download
> required. Try
>> the
>> > > new
>> > > Yahoo! Canada Messenger for the Web BETA at
>> > > http://ca.messenger.yahoo.com/webmessengerpromo.php
>> > >
>> > >
>> > >
> ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > > For additional commands, e-mail: user-help@struts.apache.org
>> > >
>> > >
>> > >
>> __________________________________________________________________
>> > > Yahoo! Canada Toolbar: Search from anywhere on the web, and
> bookmark
>> your
>> > > favourite sites. Download it now at
>> > > http://ca.toolbar.yahoo.com..
>> > >
>> > >
>> > >
> ---------------------------------------------------------------------
>> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> > > For additional commands, e-mail: user-help@struts.apache.org
>> > >
>> > >
>> >
>> >
>> > --
>> > "Hey you! Would you help me to carry the stone?" Pink Floyd
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>> --
>> "Hey you! Would you help me to carry the stone?" Pink Floyd
>>
>>
>>
>>
>>
>
>
>
> --
> "Hey you! Would you help me to carry the stone?" Pink Floyd
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message