(tick) These are the notes for the Struts 2.3.29 distribution.

(tick) For prior notes in this release series, see Version Notes

  • If you are a Maven user, you might want to get started using the Maven Archetype.
  • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
  • There is huge number of examples you can also use as a starting point for you application here
Maven Dependency

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
    <name>ASF Nexus Staging</name>

Internal Changes

  • (warning) Action name clean up is error prone S2-035
  • (warning) Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) S2-036
  • (warning) Remote Code Execution can be performed when using REST Plugin S2-037
  • (warning) It is possible to bypass token validation and perform a CSRF attack S2-038
  • (warning) Getter as action method leads to security bypass S2-039
  • (warning) Input validation bypass using existing default action method S2-040
  • (warning) Possible DoS attack when using URLValidator S2-041
  • [WW-4608] - Json result type breaks
  • [WW-4618] - MessageStorePreResultListener doesn't store messages for 3rd-party RedirectResult subclasses
  • [WW-4622] - [struts2-tiles-plugin] [2.3.28] [StrutsWildcardServletTilesApplicationContext] getRealPath
  • [WW-4623] - Multiple tiles.xml in web.xml
  • [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
  • [WW-4626] - EmailValidator flags .cat emails as invalid
  • [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80
  • [WW-4629] - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+
  • [WW-4630] - <s:submit> generates a value attribute for type=image which violates W3C
  • [WW-4633] - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1


This release contains fixe related to S2-035S2-036, S2-037, S2-038, S2-039, S2-040 and S2-041 security bulletins, please read it carefully!

Issue Detail

Issue List

Other resources

  • No labels