0

I am using HDIV to protect my web application from the csrf attacks. My application was long developed in Struts-1.3.10. The hyper links and normal pages works well, but except the multipart file upload pages. I get multipartconfig not present exception when I submit a page having the multipart file upload. I tried many way to configure it but nothing worked. There seems to be no good documents in their website. Their example too is full of bugs and their multipart example throws the same exception! How to configure a multipart page with HDIV?

Is owasp-csrfguard easier than using HDIV? share your experiences.

vvra
  • 2,832
  • 5
  • 38
  • 82

1 Answers1

0

There is an issue in HDIV (since 2.1.4 version, previous are ok) related to file uploading in Struts 1 application. Track it in github: https://github.com/hdiv/hdiv/issues/59

We are working on it and any further comments in issue page are welcome.

Issue fixed in HDIV 2.1.8-SNAPSHOT commit

gillarramendi
  • 271
  • 1
  • 8
  • I saw it. Cant I use AbstractMultipartConfig and StrutsMultipartConfig and configure it in the applicationContext.xml? As we are in critical time in releasing our web application, it would be immensely helpful if you can give any other way around to fix this. – vvra Sep 05 '14 at 11:06
  • We just uploaded some changes that corrects the issue, you can view the changes [here](https://github.com/hdiv/hdiv/commit/7556096d3f1c2645f4b832caf4d57b6cf1ca7f94) and review the config added to hdiv-config.xml [here](https://github.com/hdiv/hdiv-struts-examples/commit/0787d67349569f450709ed0e24a9c74699f622d5) – gillarramendi Sep 05 '14 at 12:56
  • Thanks I now face a small issue. Though the req comes to struts action, the form file param is null in the form. Am I missing any configuration? hdiv-config.xml ..... 250M 250K c:/tmp – vvra Sep 05 '14 at 14:39
  • Any idea why I get this exception? javax.servlet.ServletException: java.lang.ClassCastException: org.apache.struts.upload.MultipartRequestWrapper cannot be cast to org.hdiv.filter.RequestWrapper Caused by: java.lang.ClassCastException: org.apache.struts.upload.MultipartRequestWrapper cannot be cast to org.hdiv.filter.RequestWrapper at org.hdiv.upload.HDIVMultipartRequestHandler.handleRequest(HDIVMultipartRequestHandler.java:83) – vvra Sep 05 '14 at 16:17
  • Have you updated all files from [this commit](https://github.com/hdiv/hdiv/commit/7556096d3f1c2645f4b832caf4d57b6cf1ca7f94)? Even HDIVMultipartRequestHandler file? – gillarramendi Sep 05 '14 at 16:18
  • Yes, I cloned your code and built it in our end. I checked our source with your patch code, it is same! – vvra Sep 05 '14 at 16:29
  • The point I found debugging your code is, my action class receives the request, process the file uploaded and instead of forwarding (mapping.findForward()) to a jsp we forward to another action which is the confirmation shown to the user. In such case, the HDIVMultipartRequestHandler is called again but the request is MultipartRequestWrapper and wrapper.getRequest() is org.apache.struts.upload.MultipartRequestWrapper. I could not understand why this happens. Any idea/help? thanks – vvra Sep 05 '14 at 16:48
  • Hi, things are working good for pages with multipart, but for ajax request from pages, nothing happens. How to configure HDIV for ajax initiated using jquery? any example should suffice. Im using Struts 1.3. – vvra Sep 06 '14 at 12:32
  • Good news! I added some extra protection to ClassCastException in request chaining: [commit](https://github.com/hdiv/hdiv/commit/1ab7994a68b751bd37ee6017d706461707c8d337) Could be useful for action chaining cases. – gillarramendi Sep 08 '14 at 08:20
  • Thank you so much! Will build and try it. – vvra Sep 08 '14 at 12:41