Upgrading Struts version in XWIKI

Hello All,

we have upgraded XWIKI to 11.3 but still it is struts is on 1.3 version only and came to know that struts 1.3 version has critical vulnerabilities. Hence I would like to upgrade to struts latest version.

Can anyone help me here on how to upgrade struts within XWIKI and what will be max struts version can xwiki support ?

Thanks in advance,
Vinay

You can’t without changing the code. We’re using the latest available struts 1.x version, see https://struts.apache.org/download.cgi

We want to get rid of Struts but nobody has worked on this yet. The clean way of doing it would take about 30 days.

I did some quick analysis in the past of the work needed:

The work was started and made in a new module called “Resource API” (in a Maven xwiki-platform-resource module). Documentation for this Resource API is at https://extensions.xwiki.org/xwiki/bin/view/Extension/Resource%20API

The full refactoring would use this new API and remove the code depending on Struts by rewriting the code as XWiki Components (technically the big part of the work means converting Struts-based XWiki Actions into ResourceHandler Components).

FYI, right now XWiki already supports both Struts-based Actions and also ResourceHandler implementations as shown in the following architecture diagram:
https://www.xwiki.org/xwiki/bin/view/Documentation/DevGuide/Architecture/URL%20Architecture/

Specifically this means doing the following work:

  • Convert the 7 Struts Form beans - 1d
  • Handle ability to forward to login.vm, deniedaccess.vm & userinactive.vm - 2d
  • Convert the 52 Struts actions to Entity ResourceReferenceHandler - 20d
  • Convert XWikiRequestProcessor - 1d
  • Refactor XWikiAction accordingly - 1d
  • Added missing features from the xwiki-platform-resource module - 2d
  • Testing (including adding unit tests) and documentation updates - 3d

Total: 30 days of work.

Of course there’s also the option of working towards an upgrade from Struts 1.x to 2.x which is probably way less costly and maybe a more reasonable approach. However, in the end we’d like to remove Struts completely so I guess our preference would be to do… but it takes time. Someone needs to sponsor this (whether it’s a dev who would sponsor in his own free time, or a company like XWiki SAS sponsoring it, or some company using XWiki and wanting to participate to the development of it by contracting with XWiki SAS for example, etc).

One thing to do is to look into more details into the struts vulnerabilities and see if they affect XWiki or not and to what degree, since it’s probaby possible to secure that from around XWiki (with some nginx/apache config for ex).

Some food for thoughts…

Hi Vincent,
I know it was an old post, but could you give some instructions to people how it might upgrade structs 1.x to 2.x given the Xwiki context? At least it gives people a path if they would like to do that. Right now we have an old component is using Xwiki 7.1.4, how we could upgrade structs to 2.x? Thanks!

Hi, you just need to upgrade to a recent XWiki version. We got rid of Struts.

1 Like

Note that Struts has been removed from XWiki in 13.0.

Upgrading Struts in an old XWiki instance is really not a simple thing and require modifying quite a few internals of XWiki, so the safest is most probably to upgrade XWiki itself to the current LTS (13.10.x). Note that it also includes quite a few fixes for vulnerabilities far more concerning than Struts 1 (for which nobody ever indicated any exploit that can be used in an XWiki instance by the way…).

1 Like