免费视频久久,夜夜爽夜夜爽精品视频,日韩一区二区中文

struts2漏洞版本升級過程

struts2出現的漏洞以及影響：
http://www.iteye.com/news/28053#comments

http://baike.baidu.com/link?url=6-45Efjxfsz2J74shu4sfd9G4ASrYig3ovFgBZASXbYGhGXeB368Glur39lakBEmntTDl_EIHro78o0tcyoCcK

項目中的struts版本是struts2.0.11，要求升級到目前最新的版本struts2.3.15.2。
工程修改內容：
    新增的jar包：
        struts2-core-2.3.15.2.jar
        struts2-spring-plugin-2.3.15.2.jar
        struts2-json-plugin-2.3.15.2.jar
        xwork-core-2.3.15.2.jar
        ognl-3.0.6.jar
        javassist-3.11.0.GA
        commons-lang3-3.1.jar
    配置文件修改：
        web.xml
        struts.xml
    Java文件修改：
    ExceptionLogger.java

工程中需刪除的jar包：
struts-core-2.0.11.jar
struts-spring-plugin-2.0.11.jar
xwork-2.0.4.jar
jsonplugin-0[1].32.jar

升級過程中遇到的問題及其解決辦法:
1. - Cannot reduce the visibility of the inherited method from ExceptionMappingInterceptor
【將ExceptionLogger類，由于繼承了ExceptionMappingInterceptor并且重寫了findResultFromExceptions(List exceptionMappings, Throwable t) 方法, 父類該方法的作用域是protected，所以子類必須將原來的private修改為protected或者public】
2.java.lang.NullPointerException
    edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:409)
    com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)
【
    web.xml中將struts2 prepare filter放到cas filter前面，將struts executer filter放到cas filter后面
    這樣配置之后，啟動服務器后重新訪問bcec url，形如：http://localhost:8080/bcec/zoneAction!initZone.action?function=zone 不會出現自動不轉向到cas然后登陸的情況。
    因為CasFilter.java過濾器中獲取了ActionContext對象，但是此時如果先走這個filter的話Struts還沒有初始化，所有ActionContext對象為null。

<filter>
        <filter-name>struts-prepare</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter</filter-class>
    </filter>
     <filter-mapping>
        <filter-name>struts-prepare</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
      <filter-name>CASFilter</filter-name>
      <filter-class>
        edu.yale.its.tp.cas.client.filter.CASFilter
      </filter-class>

    </filter>
     <filter-mapping>
      <filter-name>CASFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter>
        <filter-name>struts-execute</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>struts-execute</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

】
3. Caused by java.lang.ClassNotFoundException javassist.ClassPool
  【新增javassist-3.11.0.GA.jar】
4. java.lang.NoSuchMethodError: ognl.SimpleNode.isEvalChain(Lognl/OgnlContext;)
  【OGNL包不兼容，刪除原來的ognl-2.6.11.jar，新增ognl-3.0.6.jar】
5. HTTP Status 404 - There is no Action mapped for namespace [/] and action name [loginAction!login] associated with context path [/bcec].
  【<constant name="struts.enable.DynamicMethodInvocation" value="true"/> 增加該項表示開啟動態方法調用（形如：XXAction!xxx.action）。struts2.3.15.2版本中默認為false（不支持動態方法調用），而struts2.0.11中默認值是true（支持動態方法調用）】
   這個耗費了多些時間，跟蹤了下源碼.
6.java.lang.ClassNotFoundException: com.opensymphony.xwork2.util.TextUtils
  【新增struts2-json-plugin-2.3.15.2.jar，刪除jsonplugin-0.3x.jar包】
7.Caused by: No object in the CompoundRoot has a publicly accessible property named 'datetime' (no setter could be found). - [unknown location]
  【<constant name="struts.devMode" value="false" /> 將value修改為false或者將該條配置去掉。】

8. [2013-10-15 18:11:48] [WARN ] Error setting expression 'struts.token.name' with value '[Ljava.lang.String;@14057e5' - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:64)

ognl.OgnlException: source is null for getProperty(null, "token")

【struts.xml中修改params參數攔截器配置如下：

<interceptor-ref name="params">

dojo\..*,.*\\u0023.*,struts.token,struts.token.name

</param>

</interceptor-ref>

】

9. [2013-10-16 10:38:19] [WARN ] Could not find token name in params. - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:56)

【struts.xml中修改token攔截器中增加對防止重復提交方法的攔截配置：

<interceptor-ref name="token">

allocate,create

</param>

</interceptor-ref>

】
10. 當rest接口發送請求參數格式形如：hostId.1、hostId.2....

后臺會遇到ognl解析錯誤，警告級錯誤如下，很眼暈啊 ~~.

\--------------------------------------/

[2013-10-25 10:32:47] [WARN ] Error setting expression 'instanceId.6' with value '[Ljava.lang.String;@7a151289' - at com.opensymphony.xwork2.util.logging.commons.CommonsLogger.warn(CommonsLogger.java:64)

ognl.ExpressionSyntaxException: Malformed OGNL expression: instanceId.6 [ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.

Was expecting one of:

<EOF>

"," ...

"=" ...

"?" ...

"||" ...

"or" ...

"&&" ...

"and" ...

"|" ...

"bor" ...

"^" ...

"xor" ...

"&" ...

"band" ...

"==" ...

"eq" ...

"!=" ...

"neq" ...

"<" ...

"lt" ...

">" ...

"gt" ...

"<=" ...

"lte" ...

">=" ...

"gte" ...

"in" ...

"not" ...

"<<" ...

"shl" ...

">>" ...

"shr" ...

">>>" ...

"ushr" ...

"+" ...

"-" ...

"*" ...

"/" ...

"%" ...

"instanceof" ...

"." ...

"(" ...

"[" ...

<DYNAMIC_SUBSCRIPT> ...

"(" ...

]

at ognl.Ognl.parseExpression(Ognl.java:112)

at com.opensymphony.xwork2.ognl.OgnlUtil.compile(OgnlUtil.java:268)

at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:230)

at com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)

at com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)

at com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)

at com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:318)

at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:231)

at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:239)

at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:191)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:73)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)

at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:193)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:189)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at com.ccms.systemlog.action.InterfaceInterceptor.intercept(InterfaceInterceptor.java:81)

at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)

at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:54)

at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:563)

at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)

at org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter(StrutsExecuteFilter.java:93)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:351)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareFilter.doFilter(StrutsPrepareFilter.java:91)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at com.ccms.base.filter.EncodingFilter.doFilter(EncodingFilter.java:53)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)

at java.lang.Thread.run(Thread.java:679)

Caused by: ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.

Was expecting one of:

<EOF>

"," ...

"=" ...

"?" ...

"||" ...

"or" ...

"&&" ...

"and" ...

"|" ...

"bor" ...

"^" ...

"xor" ...

"&" ...

"band" ...

"==" ...

"eq" ...

"!=" ...

"neq" ...

"<" ...

"lt" ...

">" ...

"gt" ...

"<=" ...

"lte" ...

">=" ...

"gte" ...

"in" ...

"not" ...

"<<" ...

"shl" ...

">>" ...

"shr" ...

">>>" ...

"ushr" ...

"+" ...

"-" ...

"*" ...

"/" ...

"%" ...

"instanceof" ...

"." ...

"(" ...

"[" ...

<DYNAMIC_SUBSCRIPT> ...

"(" ...

at ognl.OgnlParser.generateParseException(OgnlParser.java:3172)

at ognl.OgnlParser.jj_consume_token(OgnlParser.java:3051)

at ognl.OgnlParser.topLevelExpression(OgnlParser.java:16)

at ognl.Ognl.parseExpression(Ognl.java:110)

... 64 more

/-- Encapsulated exception ------------\

ognl.ParseException: Encountered " <FLT_LITERAL> ".6 "" at line 1, column 11.