Upgrading Struts version in XWIKI

Hello All,

we have upgraded XWIKI to 11.3 but still it is struts is on 1.3 version only and came to know that struts 1.3 version has critical vulnerabilities. Hence I would like to upgrade to struts latest version.

Can anyone help me here on how to upgrade struts within XWIKI and what will be max struts version can xwiki support ?

Thanks in advance,

You can’t without changing the code. We’re using the latest available struts 1.x version, see Download a Release

We want to get rid of Struts but nobody has worked on this yet. The clean way of doing it would take about 30 days.

I did some quick analysis in the past of the work needed:

The work was started and made in a new module called “Resource API” (in a Maven xwiki-platform-resource module). Documentation for this Resource API is at https://extensions.xwiki.org/xwiki/bin/view/Extension/Resource%20API

The full refactoring would use this new API and remove the code depending on Struts by rewriting the code as XWiki Components (technically the big part of the work means converting Struts-based XWiki Actions into ResourceHandler Components).

FYI, right now XWiki already supports both Struts-based Actions and also ResourceHandler implementations as shown in the following architecture diagram:

Specifically this means doing the following work:

  • Convert the 7 Struts Form beans - 1d
  • Handle ability to forward to login.vm, deniedaccess.vm & userinactive.vm - 2d
  • Convert the 52 Struts actions to Entity ResourceReferenceHandler - 20d
  • Convert XWikiRequestProcessor - 1d
  • Refactor XWikiAction accordingly - 1d
  • Added missing features from the xwiki-platform-resource module - 2d
  • Testing (including adding unit tests) and documentation updates - 3d

Total: 30 days of work.

Of course there’s also the option of working towards an upgrade from Struts 1.x to 2.x which is probably way less costly and maybe a more reasonable approach. However, in the end we’d like to remove Struts completely so I guess our preference would be to do… but it takes time. Someone needs to sponsor this (whether it’s a dev who would sponsor in his own free time, or a company like XWiki SAS sponsoring it, or some company using XWiki and wanting to participate to the development of it by contracting with XWiki SAS for example, etc).

One thing to do is to look into more details into the struts vulnerabilities and see if they affect XWiki or not and to what degree, since it’s probaby possible to secure that from around XWiki (with some nginx/apache config for ex).

Some food for thoughts…

Hi Vincent,
I know it was an old post, but could you give some instructions to people how it might upgrade structs 1.x to 2.x given the Xwiki context? At least it gives people a path if they would like to do that. Right now we have an old component is using Xwiki 7.1.4, how we could upgrade structs to 2.x? Thanks!

Hi, you just need to upgrade to a recent XWiki version. We got rid of Struts.

1 Like

Note that Struts has been removed from XWiki in 13.0.

Upgrading Struts in an old XWiki instance is really not a simple thing and require modifying quite a few internals of XWiki, so the safest is most probably to upgrade XWiki itself to the current LTS (13.10.x). Note that it also includes quite a few fixes for vulnerabilities far more concerning than Struts 1 (for which nobody ever indicated any exploit that can be used in an XWiki instance by the way…).

1 Like

Hi Thomas,
Thanks for your feedback. Actually I had to come back to this topic. I tried to follow your steps to upgrade Struts in those commits, did you actually make it before you completely got rid of Struts? What else need to modify to the older version? Thanks Commit search results · GitHub

@tmortagne Actually I found this as well. Is this version actually working?

As indicated on Loading..., this was never finished.

Yes this is working but most of it only make sense for XWiki 7.4.1 (this was done for a XWiki SAS customer).

Thank you @tmortagne! Can I ask you one more question, in your implementation of “get rid of Struts”, does it work for Servlet 3.0? Thanks!

It should, yes, since the new entry point (LegacyActionServlet) is a good old javax.servlet.http.HttpServlet and that’s about the only Servlet related change. Most of the work was on XWiki side (mainly making XWikiAction components registered each with its action name instead of using a mapping in Struts).