Version Notes 2.3.1.1

These are the notes for the Struts 2.3.1.1 distribution.

For prior notes in this release series, see Version Notes 2.3.1

• If you are a Maven user, you might want to get started using the Maven Archetype.
• Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.3.1.1</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/2.3.1.1/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

• Strict DMI mode was improved and now it should work correctly, you can find more details here
• Default acceptedParamNames were updated to more restrictive values to solve security vulnerabilities in ParameterInterceptor - support for param names with withe spaces was dropped! Also a new configuration was added to CookieInterceptor call acceptCookieNames to prevent remote code execution with cookies. There is a security weaknesses in DebuggingInterceptor as a wanted feature in Development Mode, which anyway should not be used it in a production environment!

Issue Detail

• JIRA Release Notes 2.3.1.1

Issue List

• Struts 2.3.1.1 DONE
• Struts 2.3.x TODO

Other resources

• Commit Logs (Struts 1 and Struts 2)
• Source Code Repository (includes change browsing)