转自:http://www.blogjava.net/ldwblog/archive/2013/10/14/404944.html
struts2出现的漏洞以及影响:
http://www.iteye.com/news/28053#comments
http://baike.baidu.com/link?url=6-45Efjxfsz2J74shu4sfd9G4ASrYig3ovFgBZASXbYGhGXeB368Glur39lakBEmntTDl_EIHro78o0tcyoCcK
项目中的struts版本是struts2.0.11,要求升级到目前最新的版本struts2.3.15.2。
工程修改内容:
新增的jar包:
struts2-core-2.3.15.2.jar
struts2-spring-plugin-2.3.15.2.jar
struts2-json-plugin-2.3.15.2.jar
xwork-core-2.3.15.2.jar
ognl-3.0.6.jar
javassist-3.11.0.GA
commons-lang3-3.1.jar
配置文件修改:
web.xml
struts.xml
Java文件修改:
ExceptionLogger.java
工程中需删除的jar包:
struts-core-2.0.11.jar
struts-spring-plugin-2.0.11.jar
xwork-2.0.4.jar
jsonplugin-0[1].32.jar
升级过程中遇到的问题及其解决办法:
1. - Cannot reduce the visibility of the inherited method from ExceptionMappingInterceptor
【将ExceptionLogger类,由于继承了ExceptionMappingInterceptor并且重写了findResultFromExceptions(List exceptionMappings, Throwable t) 方法, 父类该方法的作用域是protected,所以子类必须将原来的private修改为protected或者public】
2.java.lang.NullPointerException
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:409)
com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)
【
web.xml中将struts2 prepare filter放到cas filter前面,将struts executer filter放到cas filter后面
这样配置之后,启动服务器后重新访问bcec url,形如:http://localhost:8080/bcec/zoneAction!initZone.action?function=zone 不会出现自动不转向到cas然后登陆的情况。
因为CasFilter.java过滤器中获取了ActionContext对象,但是此时如果先走这个filter的话Struts还没有初始化,所有ActionContext对象为null。
3. Caused by java.lang.ClassNotFoundException javassist.ClassPool
【新增javassist-3.11.0.GA.jar】
4. java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)
【OGNL包不兼容,删除原来的ognl-2.6.11.jar,新增ognl-3.0.6.jar】
5. HTTP Status 404 - There is no Action mapped for namespace [/] and action name [loginAction!login] associated with context path [/bcec].
【<constant name="struts.enable.DynamicMethodInvocation" value="true"/> 增加该项表示开启动态方法调用(形如:XXAction!xxx.action)。struts2.3.15.2版本中默认为false(不支持动态方法调用),而struts2.0.11中默认值是true(支持动态方法调用)】
这个耗费了多些时间,跟踪了下源码.
6.java.lang.ClassNotFoundException: com.opensymphony.xwork2.util.TextUtils
【新增struts2-json-plugin-2.3.15.2.jar,删除jsonplugin-0.3x.jar包】
7.Caused by: No object in the CompoundRoot has a publicly accessible property named 'datetime' (no setter could be found). - [unknown location]
【<constant name="struts.devMode" value="false" /> 将value修改为false或者将该条配置去掉。】
http://www.iteye.com/news/28053#comments
http://baike.baidu.com/link?url=6-45Efjxfsz2J74shu4sfd9G4ASrYig3ovFgBZASXbYGhGXeB368Glur39lakBEmntTDl_EIHro78o0tcyoCcK
项目中的struts版本是struts2.0.11,要求升级到目前最新的版本struts2.3.15.2。
工程修改内容:
新增的jar包:
struts2-core-2.3.15.2.jar
struts2-spring-plugin-2.3.15.2.jar
struts2-json-plugin-2.3.15.2.jar
xwork-core-2.3.15.2.jar
ognl-3.0.6.jar
javassist-3.11.0.GA
commons-lang3-3.1.jar
配置文件修改:
web.xml
struts.xml
Java文件修改:
ExceptionLogger.java
工程中需删除的jar包:
struts-core-2.0.11.jar
struts-spring-plugin-2.0.11.jar
xwork-2.0.4.jar
jsonplugin-0[1].32.jar
升级过程中遇到的问题及其解决办法:
1. - Cannot reduce the visibility of the inherited method from ExceptionMappingInterceptor
【将ExceptionLogger类,由于继承了ExceptionMappingInterceptor并且重写了findResultFromExceptions(List exceptionMappings, Throwable t) 方法, 父类该方法的作用域是protected,所以子类必须将原来的private修改为protected或者public】
2.java.lang.NullPointerException
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:409)
com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)
【
web.xml中将struts2 prepare filter放到cas filter前面,将struts executer filter放到cas filter后面
这样配置之后,启动服务器后重新访问bcec url,形如:http://localhost:8080/bcec/zoneAction!initZone.action?function=zone 不会出现自动不转向到cas然后登陆的情况。
因为CasFilter.java过滤器中获取了ActionContext对象,但是此时如果先走这个filter的话Struts还没有初始化,所有ActionContext对象为null。
<filter>
<filter-name>struts-prepare</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-prepare</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>
edu.yale.its.tp.cas.client.filter.CASFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts-execute</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-execute</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
】<filter-name>struts-prepare</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-prepare</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>
edu.yale.its.tp.cas.client.filter.CASFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts-execute</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-execute</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. Caused by java.lang.ClassNotFoundException javassist.ClassPool
【新增javassist-3.11.0.GA.jar】
4. java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)
【OGNL包不兼容,删除原来的ognl-2.6.11.jar,新增ognl-3.0.6.jar】
5. HTTP Status 404 - There is no Action mapped for namespace [/] and action name [loginAction!login] associated with context path [/bcec].
【<constant name="struts.enable.DynamicMethodInvocation" value="true"/> 增加该项表示开启动态方法调用(形如:XXAction!xxx.action)。struts2.3.15.2版本中默认为false(不支持动态方法调用),而struts2.0.11中默认值是true(支持动态方法调用)】
这个耗费了多些时间,跟踪了下源码.
6.java.lang.ClassNotFoundException: com.opensymphony.xwork2.util.TextUtils
【新增struts2-json-plugin-2.3.15.2.jar,删除jsonplugin-0.3x.jar包】
7.Caused by: No object in the CompoundRoot has a publicly accessible property named 'datetime' (no setter could be found). - [unknown location]
【<constant name="struts.devMode" value="false" /> 将value修改为false或者将该条配置去掉。】
8. [2013-10-15 18:11:48] [WARN ] Error setting expression 'struts.token.name' with value '[Ljava.lang.String;@14057e5' - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:64)
ognl.OgnlException: source is null for getProperty(null, "token")
【struts.xml中修改params参数拦截器配置如下:
<interceptor-ref name="params">
<param name="excludeParams">
dojo\..*,.*\\u0023.*,struts.token,struts.token.name
</param>
</interceptor-ref>
】
9. [2013-10-16 10:38:19] [WARN ] Could not find token name in params. - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:56)
【struts.xml中修改token拦截器中增加对防止重复提交方法的拦截配置:
<interceptor-ref name="token">
<param name="includeParams">
allocate,create
</param>
</interceptor-ref>
】
10. 当rest接口发送请求参数格式形如:hostId.1、hostId.2....
10. 当rest接口发送请求参数格式形如:hostId.1、hostId.2....
后台会遇到ognl解析错误,警告级错误如下,很眼晕啊 ~~.
\--------------------------------------/
[2013-10-25 10:32:47] [WARN ] Error setting expression 'instanceId.6' with value '[Ljava.lang.String;@7a151289' - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:64)
ognl.ExpressionSyntaxException: Malformed OGNL expression: instanceId.6 [ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.
Was expecting one of:
<EOF>
"," ...
"=" ...
"?" ...
"||" ...
"or" ...
"&&" ...
"and" ...
"|" ...
"bor" ...
"^" ...
"xor" ...
"&" ...
"band" ...
"==" ...
"eq" ...
"!=" ...
"neq" ...
"<" ...
"lt" ...
">" ...
"gt" ...
"<=" ...
"lte" ...
">=" ...
"gte" ...
"in" ...
"not" ...
"<<" ...
"shl" ...
">>" ...
"shr" ...
">>>" ...
"ushr" ...
"+" ...
"-" ...
"*" ...
"/" ...
"%" ...
"instanceof" ...
"." ...
"(" ...
"[" ...
<DYNAMIC_SUBSCRIPT> ...
"(" ...
]
at ognl.Ognl.parseExpression(Ognl.java:112)
at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:268)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)
at com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:318)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:231)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:239)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.ccms.systemlog.action.InterfaceInterceptor.intercept(InterfaceInterceptor.java:81)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:563)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter(StrutsExecuteFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:351)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter.doFilter(StrutsPrepareFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:679)
Caused by: ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.
Was expecting one of:
<EOF>
"," ...
"=" ...
"?" ...
"||" ...
"or" ...
"&&" ...
"and" ...
"|" ...
"bor" ...
"^" ...
"xor" ...
"&" ...
"band" ...
"==" ...
"eq" ...
"!=" ...
"neq" ...
"<" ...
"lt" ...
">" ...
"gt" ...
"<=" ...
"lte" ...
">=" ...
"gte" ...
"in" ...
"not" ...
"<<" ...
"shl" ...
">>" ...
"shr" ...
">>>" ...
"ushr" ...
"+" ...
"-" ...
"*" ...
"/" ...
"%" ...
"instanceof" ...
"." ...
"(" ...
"[" ...
<DYNAMIC_SUBSCRIPT> ...
"(" ...
at ognl.OgnlParser.generateParseException(OgnlParser.java:3172)
at ognl.OgnlParser.jj_consume_token(OgnlParser.java:3051)
at ognl.OgnlParser.topLevelExpression(OgnlParser.java:16)
at ognl.Ognl.parseExpression(Ognl.java:110)
... 64 more
/-- Encapsulated exception ------------\
ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.
Was expecting one of:
<EOF>
"," ...
"=" ...
"?" ...
"||" ...
"or" ...
"&&" ...
"and" ...
"|" ...
"bor" ...
"^" ...
"xor" ...
"&" ...
"band" ...
"==" ...
"eq" ...
"!=" ...
"neq" ...
"<" ...
"lt" ...
">" ...
"gt" ...
"<=" ...
"lte" ...
">=" ...
"gte" ...
"in" ...
"not" ...
"<<" ...
"shl" ...
">>" ...
"shr" ...
">>>" ...
"ushr" ...
"+" ...
"-" ...
"*" ...
"/" ...
"%" ...
"instanceof" ...
"." ...
"(" ...
"[" ...
<DYNAMIC_SUBSCRIPT> ...
"(" ...
at ognl.OgnlParser.generateParseException(OgnlParser.java:3172)
at ognl.OgnlParser.jj_consume_token(OgnlParser.java:3051)
at ognl.OgnlParser.topLevelExpression(OgnlParser.java:16)
at ognl.Ognl.parseExpression(Ognl.java:110)
at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:268)
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)
at com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
at com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:318)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:231)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:239)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at com.ccms.systemlog.action.InterfaceInterceptor.intercept(InterfaceInterceptor.java:81)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:563)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter(StrutsExecuteFilter.java:93)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:351)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter.doFilter(StrutsPrepareFilter.java:91)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:679)
\--------------------------------------/
解决方式:
【在strurts.xml的拦截器中覆盖struts2的默认拦截器栈,并在params方法中过滤掉相应的请求参数(正则表达式编写),这样就可以屏蔽OGNL表达式的解析。
<interceptor-stack name="fixDefaultStack">
<interceptor-ref name="exception"/>
<interceptor-ref name="alias"/>
<interceptor-ref name="servletConfig"/>
<interceptor-ref name="i18n"/>
<interceptor-ref name="prepare"/>
<interceptor-ref name="chain"/>
<interceptor-ref name="scopedModelDriven"/>
<interceptor-ref name="modelDriven"/>
<interceptor-ref name="fileUpload"/>
<interceptor-ref name="checkbox"/>
<interceptor-ref name="multiselect"/>
<interceptor-ref name="staticParams"/>
<interceptor-ref name="actionMappingParams"/>
<interceptor-ref name="params">
<!-- Rest接口使用,解决【hostId.1】这类请求参数出现OGNL解析异常问题 -->
<param name="excludeParams">
dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*,
^zoneId\..*, ^clusterId\..*, ^hostId\..*, ^instanceId\..*,
</param>
</interceptor-ref>
<interceptor-ref name="conversionError"/>
<interceptor-ref name="validation">
<param name="excludeMethods">input,back,cancel,browse</param>
</interceptor-ref>
<interceptor-ref name="workflow">
<param name="excludeMethods">input,back,cancel,browse</param>
</interceptor-ref>
<interceptor-ref name="debugging"/>
</interceptor-stack>
再在struts-query.xml配置的Action文件中引用上述拦截器:
<package name="query" namespace="/query" extends="default">
<action name="instancesAction" class="instancesAction">
<interceptor-ref name="li"/>
<interceptor-ref name="fixDefaultStack"></interceptor-ref>
</action>
... ...
</package>
】
】
相关推荐
今天,我们将讨论如何修复 Struts2 漏洞 S2-045 而不升级 jar 版本。 漏洞概述 S2-045 漏洞是一个严重的安全漏洞,影响 Struts2 的多个版本,包括 2.3.5-2.3.31 和 2.5-2.5.102。该漏洞是由于 Struts2 中的 ...
对于防御Struts2漏洞,首要任务是保持框架版本的及时更新。当新的安全补丁发布时,应尽快升级到最新版本,避免使用已知存在漏洞的jar包。此外,配置管理也至关重要,确保没有启用不必要的插件或者设置,降低攻击面。...
Struts2漏洞升级是一个重要的IT安全议题,尤其对于使用Struts2框架的开发者来说,及时了解和处理这些漏洞至关重要。Struts2是一个流行的Java web应用框架,它为开发者提供了MVC(模型-视图-控制器)架构的支持。然而...
从压缩包子文件的文件名称列表"struts2.3升级到2.3.32所需jar包"来看,这次升级是从Struts2的2.3版本升级到2.3.32版本。这个版本的跳跃可能涵盖了多个安全修复,因为Struts2通常会发布小版本更新来处理安全问题。...
修复方法包括升级Struts2框架至修复版本,并确保所有上传功能都进行了适当的验证和过滤。 "Struts2漏洞检查工具2017版"的出现,为管理员和开发团队提供了方便的解决方案,能够帮助他们快速检测是否存在上述安全问题...
2、删除上面原有的低版本jar 3、修改 WEB-INF\classes 目录下struts.xml 文件,加上: <constant name="struts.enable.DynamicMethodInvocation" value="true"/> <constant name="struts.convention.action....
如果检测到Struts2漏洞,应立即采取补救措施,如打补丁、升级框架版本、修复受影响的应用程序代码,并监控系统日志以检测异常活动。 7. **安全审计**: 定期进行安全审计和渗透测试,以便及时发现并修复任何潜在...
本教程将详细解释如何将Struts2的2.0.xx或2.3.28.1版本升级到更为安全的2.5.12版本。 **1. 漏洞概述** 在Struts2的早期版本中,尤其是2.0.xx和2.3.28.1,存在一个名为CVE-2017-9791的安全漏洞,这是一个远程代码...
解决方法是禁用REST插件或升级Struts2到修复此漏洞的版本。 S2-016,名为“Struts2 ExecuteAction和ResultAction插件远程代码执行漏洞”,该漏洞存在于ExecuteAction和ResultAction插件中,使得攻击者可以利用OGNL...
标题提到的"struts2目前无漏洞的版本"是指Struts2的2.5.13版,这个版本已经修复了已知的所有安全漏洞,确保了应用的安全性。 Struts2的漏洞种类繁多,其中包括但不限于以下几种: 1. **CVE-2017-9805**:这是...
在本文中,我们将深入探讨关于“Struts2.3.35漏洞升级全部JAR包”的主题,包括为何升级、涉及的漏洞、升级过程以及如何确认更新成功。 首先,Struts2.3.35的升级主要是为了修复已知的安全漏洞。在过去的几年里,...
"struts2漏洞升级最新包2.3.15.1"的出现,就是为了解决这些安全隐患。 首先,我们来了解一下Struts2漏洞的一些常见类型: 1. **CVE-2017-5638**:这是一个严重且知名的远程代码执行(RCE)漏洞,也被称为S2-045或...
针对2017年的Struts漏洞,开发者需要特别关注以下几点: 1. **漏洞原因**:主要问题在于OGNL(Object-Graph Navigation Language)表达式,它是Struts2用于动态数据访问和操作的内建语言。攻击者可以通过构造特殊的...
本文将详细讨论这些漏洞,以及如何利用这些工具进行测试和防护,最后介绍如何将Struts2应用升级至2.3.15.1版本以消除安全隐患。 首先,Struts2漏洞中最著名的可能是S2-045(CVE-2017-5638),这是一个远程代码执行...
此"struts2漏洞升级.zip"压缩包包含了从Struts 2.3.12版本升级到2.3.37版本的详细过程,以及相关的jar包和Gradle配置,旨在帮助开发者修复这些漏洞。 Struts2的安全漏洞主要涉及到其核心组件,如OGNL(Object-Graph...
3. **解决策略**:对于Struts2漏洞的修复,首先需要升级Struts2框架到最新稳定版,例如文件名所示的“struts-2.3.28”,这是一个较旧版本的更新,但已经包含了对已知漏洞的修复。除此之外,还需要禁用或限制使用可能...
解决这个问题的方法通常是限制OGNL表达式的执行,或者升级到修复了该漏洞的Struts2版本。 S2-048漏洞,名为“Struts2 S2-045的变种”,是S2-045的一个变体,同样可能导致远程代码执行。尽管这个漏洞可能比S2-045更...
然而,就像任何其他复杂的软件系统一样,Struts2也存在安全漏洞。其中,S2-045 和 CVE-2017-5638 是一个极其严重的问题,可能导致远程代码执行(RCE),进而让攻击者完全控制受影响的服务器。 S2-045 漏洞,官方...
这个过程通常不需要任何用户认证,使得攻击的门槛极低,只需知道目标系统中存在易受攻击的Struts2版本即可。 描述中提到“直接输入出现漏洞的url即可攻击”,这可能是指利用了Struts2的ActionMapper组件,该组件...
Apache官方已针对该漏洞发布安全公告,ApacheStruts 2.3.5 – 2.3.31版本及2.5 – 2.5.10版本存在远程代码执行漏洞(CNNVD-201703-152 ,CVE-2017-5638)。该漏洞是由于上传功能的异常处理函数没有正确处理用户输入...