It appears to me that there is a bug in NioFileLocker.unlock() method (spring integration v4.1.4.RELEASE). Method clears up classloader level cache by calling FileChannelCache.closeChannelFor(fileToUnlock);, but it never tries to clean up its local lockCache.
Is this a bug, or I'm missing something? Tnx.
I've not looked at that code before, but it looks suspicious to me; please open a JIRA Issue.
Please also consider contributing a fix.
Related
I upgraded struts2 to 2.3.32 with no problem, but I also depend on struts2-tiles-plugin-2.3.15.3.jar which I can't upgrade as easily. Is this a problem or is upgrading struts2-core enough to fix the issue?
No I think. At S2-046's workaround section I read:
Another option is to remove the File Upload Interceptor from the stack
Which means that vulnerability was inside core. However, struts2-tiles-plugin does not have dependency to core!
I added System.ValueTuple to a MVC application and after a rebuild results in the TOO MANY REDIRECTs error. I am testing IdentityServer4 and need to install IdentityModel which needs this package. Any thoughts on how do debug why this package is causing this issue?
Figured it out!
Apparently, VS2017 didn't hook up the site correctly in IIS to debug so I was unable to see the errors initially. Once I figured that piece out I was able to see that yes, I was in an infinite loop of exceptions. Exception bubbled up to the exception page which through an exception and bingo in a loop.
The original exception stated the site couldn't find System.Runtime. Added that from nugget after that fact corrected the issue. It looks like you have to add this package at the very end as well. Not before.
I hope this helps someone else!
How to reproduce the security issue CVE-2014-0094. I googled but couldn't able to find any reference to the same.
Got it working.
I have to enable logging (for ognl package) to see the error.
Pass in parameter like class.classLoader.resource.dircontext.docBase=someText to the struts2 application.
localhost:8080/sampleApp/showlogin.do?class.classLoader.resource.diretext.docBase=someText
Then in the log I would see something like this.
java.lang.IllegalArgumentException: Document base base does not exist or is not a readable directory
at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:136)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
After applying the workaround then I don't see above error in the log.
Reference:
http://www.brentron.com/safe/web/9248.html
http://isayan.cocolog-nifty.com/diary/2014/04/s2-020.html
To get a better help, I suggest you to follow the guidelines in the official Struts2 Security Bulletins.
The bug you are refering to has been reported in S2-020, and has both a workaround without upgrading, and a patch in Struts 2.3.16.1.
WARNING: the above patch is not enough, as reported in S2-021, so there are both a new workaround (for users that can't immediately upgrade) and a definitive patch in Struts 2.3.16.2.
To reproduce the issue just send
http://host/struts2-blank/example/X.action?class.classLoader
The issue is documented under S2-020.
Started receiving the "Object reference not set to instance of an object" error when trying to view the properties dialog for a solution in VS2012 after upgrading from NServiceBus v3 to v4.
The problem looks like it's the same as raised in this post, so sorry for any duplication. This post was raised nearly a year ago and I'm hoping some others in the NServiceBus community may have found a solution.
Pretty sure the offender is the T4Scaffolding.Core library (as suggested by kevin_fitz in the above post) that NServiceBus 4 depends on. If I uninstall NServiceBus, the issue goes away - but that then presents a number of other problems :) NuGet won't let me uninstall the T4Scaffolding.Core as NServiceBus depends on it.
Any help greatly appreciated! Thanks in advance.
This Answer works, if you cannot disable any extensions then make sure there all up-todate. I found that if you uninstall ANY extension in my case BOEditor the issue will resolve. You can install them back after the uninstall.
Hope this helps.
This happens when I try to deploy a Sharepoint WebPart solution. Is there a file or configuration option that I have missed that is causing this error to occur?
Thanks.
I assume that you're using VSeWSS 1.3 to deploy you solution and that these error occur when you try to deploy the solution. I'm not 100% sure but I think I had the same error some time ago. Unfortunately I could remember what I exactly did to solve this problem. But I'm quite sure the problem was related to some network issues as VSeWSS 1.3 uses web services to handle solutions.
So I would advise you to double check you network settings. For example you could try to adjust your hosts file so that your computer's name could be resolved.