Since Struts2 was exposed to a remote execution vulnerability, it needs to be upgraded to 2.5.30 to solve it
The struts2-core version currently used by the program is 2.3.32, the spring version is 2.5.6, the commons-lang3 version is 3.1, and the jdk version is 1.6
maven project management
Two, the solution
Upgrade the Struts2-core package version, upgrade the jdk version, and upgrade the spring version
Upgrade the Struts2-core package version, upgrade the jdk version
3. The solution process
First, upgrade the version of the Struts2-core package in the pom file to 2.5.30 and perform a simple compilation to see any changes. As a result, the program reports an error actionContext.getParameters(). After the version upgrade, the object type has changed from Map to
In order to avoid affecting the logic of subsequent programs, HttpParameters can obtain the map through the new version of the method toMap(), and call the new version of the HttpParameters.create().buildNoNestedWrapping() method when filling
After modifying the program, compile and pass, use jdk1.6 to start the program, and find that an error is reported Baidu and check the source code to find that jdk version 1.7 or above
java.lang.UnsupportedClassVersionError: org/apache/lucene/store/Directory:Unsupported major.minor version 51.0
Upgrade the jdk version to 1.8, then the corresponding spring version also needs to be upgraded, otherwise an error will be reported, and the current jdk version of spring does not support annotations
[org.springframework.context.annotation.ComponentScanBeanDefinitionParser]
are only available on JDK 1.5 and higher
Modify the spring-related version in the pom file to 4.3.29.RELEASE for compilation. The error reported this time is terrible. For example, spring-jdbc has changed a lot in the new version, many methods have been abandoned, and there are too many dao-level related programs in the program It cannot be modified in a short time, and the risk is too high, so by referring to the blog – link , add the org.springframework.core package in the src folder, and add a JdkVersion.java file to enable the annotation to identify jdk8, replacing the risks and troubles caused by upgrading the spring version .
After adding the jdk8 compatible version configuration, start the program again and find an error
The class address of the Struts filter in web.xml has changed and needs to be modified to remove the ng directory
After the modification, start the error again. Check that the error is related to the commons.lang3 package. Check through mavenTree and find that there is an obvious conflict. Check that the version of commons.lang3 in the Struts2-core package is 3.8.1
com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjectorFile:ContainerImpl.javaMethod: constructLine:425-
com/opensymphony/xwork2/inject/ContainerImpl.java:425:-1Caused by:Caused by:java.lang.NoSuchMethodError:org.apache.commons.lang3.text.StrSubstitutor.setValueDelimiter(Ljava/lang/String;)Lorg/apache/commons/lang3/text/StrSubstitutor;
at com.opensymphony.xwork2.config.providers.EnvsValueSubstitutor.<init>(EnvsValueSubstitutor.java:35)
Modify the version of the pom file commons.lang3 to 3.8.1, compile and start again, and report an error ActionContext.getParameters()Ljava/util/Map; NoSuchMethodError, this getParameters() problem has been solved in step 1, and it should be an error reported during compilation Yes, then it means that this method does not come from the code I wrote. According to the error message, I found out that a referenced jar uses the old version of Struts2, and the getParameters() method is called. We are calling this during operation. There was a problem with the method, and then the corresponding jar package was modified
There is no problem in starting jdk8 again, and the program can run normally
Three, to be resolved
You can start and run the program locally, but I haven’t tried it online yet. There may still be some pitfalls from jdk1.6 to 1.8 that need to be resolved. For example, jvm has changed a lot in the version, and relevant parameter adjustments must be considered.