I've updated tiles version from 2.2.2 to 3.0.1 and i currently have a workaround to show portlet content based on solution described in http://forum.springsource.org/showthread.php?98961-Webflow-with-JSP-Tiles-Portlet-has-no-content/page2. Applying:
ServletUtil.setForceInclude(request, true);
resolved the JSP blank problem in this case. Is there any kind of similar solution for tiles3? In tiles3 i am facing the same situation and i can't find the ServletUtil class or any alternative to help me solve this problem.
With Tiles3, you can do request.setAttribute(AbstractRequest.FORCE_INCLUDE_ATTRIBUTE_NAME, true)
A new TilesViewResolver#alwaysInclude property will be available in Spring Framework 4.1.2 to set this easily, more details available in the comment of this related JIRA issue at https://jira.spring.io/browse/SPR-12374.
Related
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
https://securityboulevard.com/2022/03/new-spring4shell-zero-day-vulnerability-confirmed-what-it-is-and-how-to-be-prepared/
Quoting from above link, we are in risk if:
You use a Spring app (up to and including version 5.3.17)
Your app runs on Java 9+
You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable.
What should we do to fix this issue, in easiest and most reliable way?
According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set disallowedFields on WebDataBinder through an #ControllerAdvice:
#ControllerAdvice
#Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
#InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
This quick fix will not work if a controller sets disallowedFields locally through its own #InitBinder method, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).
Note: Spring upgrade is needed later on as vulnerability is not in Tomcat
Temporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Spring Reference
We have projects using Struts 2.0 and 2.1.
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
After research, we found there're consistent upgrades:
http://struts.apache.org/announce.html
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.
You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.
One example is that whenever we submit our ajax form, the result will
be in a new page instead of in the targets field defined in the
sx:submit or sj:submit tag.
It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.
I recommend to accept some reworks and upgrade as some security issues are high.
There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.
I moved a JSF application from Galssfish 3.1.2 to Glassfish 4.0 and I thought the new server release was completely back compatible.
I found out it is not.
I used an outdated library, Primefaces 2.X, and some components stopped working properly, at least <p:tabview>. Common sense suggests to pass to a newer library such as Primafaces 3.5, but that way I have to modify my xhtml pages. Cannot find a compatibility matrix anywhere, nor a migration tutorial. Can you help ?
There is at least another weird problem outside those related to the Primefaces library.
I have a quite complex page and till now I couldn't isolate the problem to a simpler scenario.
In this page I have an <ui:repeat> tag and then a form with a button.
The button is configured to send Ajax request and update (render) only a single ui component.
At the 3rd Ajax request it stops working and I get an error saying there is a duplicate ID corresponding to the <ui:repeat> tag.
Any idea ?
Is there a migration guide from Glassfish 3.1.2 to Glassfish 4.0 which gives hints on what has changed and how to modify existing applications ?
Update
I found the following post which deals about the last problem I'm talkin about
Component ID xxx has already been found in the view.
Unfortunately I cannot understand how to solve it despite it has an accepted answer !
This is one of the many bugs that were released with GF4.
I would suggest either waiting for the next release of GF (if you need a released version) or update GF to the latest JSF release (Currently 2.2.8 I think).
JSF implementation jars
JEE7 APIs
JSF current and older bugs
I just created a Spring MVC project in STS 3.3.0.RELEASE and just changed the default<org.springframework-version>3.1.1.RELEASE</org.springframework-version> to <org.springframework-version>3.2.1.RELEASE</org.springframework-version>, and Eclipse throws errors (see screenshot below). Any clue on how to remove these errors (perhaps the top one is the culprit)
Solved - http://www.captaindebug.com/2013/03/creating-spring-32-mvc-web-app.html#.Uf7V-WTbrus - quoting the author - Now, I could have used the fix outlined in my previous blog; however, the Guys at Spring have been busy and now the solution to this problem is to simply upgrade to Spring version 3.2.2-RELEASE
My project was using older versions of Struts2 (2.0.x)
Now we are planning to upgrade Struts2 version which has some improvements and bug fixes.
I updated the pom.xml as per that. However I found out that in my old strtus2-core lib, there's
org.apache.struts2.views.util.TextUtil
But in latest version it's not there and I am facing compilation errors.
Any idea why it's missing or how do i get it?
Indeed org.apache.struts2.views.util.TextUtil was removed from Struts 2 after 2.1.6. You have a few options.
First, as Jaiwo99 indicated, Struts 2 is licensed under the Apache License v2, so you can just take a copy of the source for TextUtil from Struts 2.1.6 and put it in your application. The class has no dependencies on other code, so it should work fine.
Second, you could look at using StringEscapeUtils from Apache Commons Lang 3, which is now used by Struts2 for escaping HTML and JavaScript. Specifically, look at StringEscapeUtils.escapeHtml4() method.
Could it be this one?
com.opensymphony.xwork2.util.TextParserUtil