STRUTS2 upgrade to 2.5.10, the high risk is coming again __java

Antecedents Summary

Vulnerabilities have been in the year, especially recently. March 6, 2017, Apache Struts2 was exposed to remote command execution vulnerability, vulnerability number: S2-045,cve number: cve-2017-5638, the official rating for high-risk, the vulnerability is due to the use of Jakarta plug-ins based on the file upload function conditions, A malicious user can trigger the vulnerability by modifying the Content-type value in the HTTP request header, thereby executing arbitrary system commands, causing the system to be hacked.

Vulnerability Analysis please: https://yq.aliyun.com/articles/72008
suggested

If this version has a vulnerability between Struts2.3.5 to Struts2.3.31 and Struts2.5 to Struts2.5.10, please upgrade to Struts 2.3.32 or version 2.5.10.1 (Beep dog, dog, company still using struts2 )。

Because the current use version is struts2-core-2.3.28, so hastened to the next level, skip 2.3 directly upgrade to 2.5 version. Upgrade Instructions

One, can not find the class

Java.lang.ClassNotFoundException:org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter

Can't find that much normal, look at the source code, version 2.5 has changed the package path.

<filter>
    <filter-name>struts2</filter-name>
    <filter-class>  Org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter
    </filter-class>
  </filter >

Second, the configuration can not find the action

is not a little suspicious of life, hurriedly go to Http://struts.apache.org/struts2 's official website push lightly push lightly.

Due to the large version span, the 2.5 version upgrades a lot of features, in Struts 2.5, the strict DMI is extended, it is called strict method call also known as SMI. You can imagine DMI is a "border policeman", SMI is a "tax policeman", and attention to the interior. With this release, SMI is enabled by default (the Strict-method-invocation property defaults to True in the Struts-default package), you can choose to disable it per package-no global switch disables the entire application's SMI.

SMI works as follows:

<allowed-methods>/@AllowedMethods is defined for each action-SMI works without opening it, but only those actions (plus < global-allowed-methods/>)
SMI is enabled, but no <allowed-methods>/@AllowedMethods is defined-SMI works, but only < global-allowed-methods/>
SMI Disabled-allows you to invoke any action method that matches the default regex-([a-za-z0-9_$]*)
you can use constants to redefine the default regex, as shown below < Constant Name= "Struts.strictMethodInvocation.methodRegex" value= ([a-za-z]*)/>

When using wildcard mappings in operation definitions, SMI has two ways:

SMI is disabled-any wildcard character will be replaced by the default regex, namely: <action name= "person*" method= "perform*" > will be translated to Allowedmethod = "Regex: Perform ([a-za-z0-9_$]*) ".
Enable S MI-no wildcard substitutions occur, and you must strictly define which methods are accessible through comments or <allowed-method/> tags.

That means you have to add this configuration to the best global settings:

<global-allowed-methods>regex:.*</global-allowed-methods>

the problem of the sequence of elements in package

Content with element type ' package must match ' (Result-types?,interceptors?,default-interceptor-ref?,default-action-ref?

This error occurs, you must pay attention to, be sure to check the location of the Global-allowed-methods in package, and then follow the error to specify the order placement configuration.

Iv. issues that may arise

If your project uses log4j instead of log4j2, then the problem comes and you also need to join Log4j-api-2.7.jar and Log4j-core-2.7.jar and configure Log4j2.xml (for the moment it's empty).

<?xml version= "1.0" encoding= "UTF-8"?> <configuration status=   
"error" >   
  <appenders>   
  </appenders>   
  <loggers>   
    <root level= "info" >   
    </root>   
  </loggers>   
</configuration>

Otherwise, you will always report the following error, as for why, have not yet in-depth understanding.

ERROR statuslogger No log4j2 configuration file found. The Using default configuration:logging only errors to the console.

Well, if you start with no other problems, you should be able to visit a long-lost action.

Original: http://blog.52itstyle.com/archives/430/