Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.31, 2.5.5
    • Component/s: None
    • Labels:
      None

      Description

      It is possible that you get the webconsole.html in dev without having debug in the stack trace

      I found that you can access /stuts/webconsole.html to see this html. For example (thanks jgeppert! ) :

      http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
      

      I wonder if this should be fixed and if this can be used for attackers.

        Activity

        Hide
        lukaszlenart Lukasz Lenart added a comment -

        It won't do any harm, without debugging interceptor it isn't possible to perform any action.

        Show
        lukaszlenart Lukasz Lenart added a comment - It won't do any harm, without debugging interceptor it isn't possible to perform any action.
        Hide
        montri.m Montri M added a comment -

        Well, just having it exists is enough to scare our client away, even if it couldn't perform any action. Is there anyway to disable it?

        Show
        montri.m Montri M added a comment - Well, just having it exists is enough to scare our client away, even if it couldn't perform any action. Is there anyway to disable it?
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit a317668213062d071de68e6008197d1ca6ed3dbc in struts's branch refs/heads/master from Lukasz Lenart
        [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=a317668 ]

        WW-4601 Hides webconsole when not in devMode

        Show
        jira-bot ASF subversion and git services added a comment - Commit a317668213062d071de68e6008197d1ca6ed3dbc in struts's branch refs/heads/master from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=a317668 ] WW-4601 Hides webconsole when not in devMode
        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit e8b48f8bb4a0926bcc89e566f666c5b6b499c55b in struts's branch refs/heads/support-2-3 from Lukasz Lenart
        [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=e8b48f8 ]

        WW-4601 Hides webconsole when not in devMode

        Show
        jira-bot ASF subversion and git services added a comment - Commit e8b48f8bb4a0926bcc89e566f666c5b6b499c55b in struts's branch refs/heads/support-2-3 from Lukasz Lenart [ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=e8b48f8 ] WW-4601 Hides webconsole when not in devMode
        Hide
        lukaszlenart Lukasz Lenart added a comment -

        The whole package where webconsole.html is stored is hidden when not in devMode

        Show
        lukaszlenart Lukasz Lenart added a comment - The whole package where webconsole.html is stored is hidden when not in devMode
        Hide
        lukaszlenart Lukasz Lenart added a comment -

        Montri M yes, you can hide it, just implement your own StaticContentLoader like this

        public class MyStaticContentLoader extends DefaultStaticContentLoader {
        
            @Override
            protected String getAdditionalPackages() {
                return "org.apache.struts2.static template static");
            }
        
        }
        

        and then in struts.xml

        <bean type="org.apache.struts2.dispatcher.StaticContentLoader" class="MyStaticContentLoader" name="myLoader" />
        <constant name="struts.staticContentLoader" value="myLoader" />
        

        all is here https://struts.apache.org/docs/static-content.html

        Show
        lukaszlenart Lukasz Lenart added a comment - Montri M yes, you can hide it, just implement your own StaticContentLoader like this public class MyStaticContentLoader extends DefaultStaticContentLoader { @Override protected String getAdditionalPackages() { return "org.apache.struts2. static template static " ); } } and then in struts.xml <bean type= "org.apache.struts2.dispatcher.StaticContentLoader" class= "MyStaticContentLoader" name= "myLoader" /> <constant name= "struts.staticContentLoader" value= "myLoader" /> all is here https://struts.apache.org/docs/static-content.html
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Struts-JDK7-master #491 (See https://builds.apache.org/job/Struts-JDK7-master/491/)
        WW-4601 Hides webconsole when not in devMode (lukaszlenart: rev a317668213062d071de68e6008197d1ca6ed3dbc)

        • core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK7-master #491 (See https://builds.apache.org/job/Struts-JDK7-master/491/ ) WW-4601 Hides webconsole when not in devMode (lukaszlenart: rev a317668213062d071de68e6008197d1ca6ed3dbc) core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Struts-JDK6-support-2.3 #1040 (See https://builds.apache.org/job/Struts-JDK6-support-2.3/1040/)
        WW-4601 Hides webconsole when not in devMode (lukaszlenart: rev e8b48f8bb4a0926bcc89e566f666c5b6b499c55b)

        • core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Struts-JDK6-support-2.3 #1040 (See https://builds.apache.org/job/Struts-JDK6-support-2.3/1040/ ) WW-4601 Hides webconsole when not in devMode (lukaszlenart: rev e8b48f8bb4a0926bcc89e566f666c5b6b499c55b) core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java
        Hide
        Philippe Philippe added a comment -

        Hello, we need to integrate this correction, but we're unable to find the 2.3.31 version on the different Maven repositories.

        Can you tell us when will it be delivery on it ?

        Thx

        Show
        Philippe Philippe added a comment - Hello, we need to integrate this correction, but we're unable to find the 2.3.31 version on the different Maven repositories. Can you tell us when will it be delivery on it ? Thx
        Hide
        lukaszlenart Lukasz Lenart added a comment - - edited

        2.3.31 wasn't released yet, there are still some outstanding issues that must be resolved first. You can resolved this issue by implementing your own StaticContentLoader as I mentioned above.

        Show
        lukaszlenart Lukasz Lenart added a comment - - edited 2.3.31 wasn't released yet, there are still some outstanding issues that must be resolved first. You can resolved this issue by implementing your own StaticContentLoader as I mentioned above.

          People

          • Assignee:
            lukaszlenart Lukasz Lenart
            Reporter:
            afattahi Alireza Fattahi
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development