These are the notes for the Struts 2.5.30 distribution.
For prior notes in this release series, see Version Notes 2.5.29
- If you are a Maven user, you might want to get started using the Maven Archetype.
Maven Dependency
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.5.30</version> </dependency>
You can also use Struts Archetype Catalog like below
Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
<repositories> <repository> <id>apache.nexus</id> <name>ASF Nexus Staging</name> <url>https://repository.apache.org/content/groups/staging/</url> </repository> </repositories>
Internal Changes
Yasser's PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.
How to test
- Run all your app tests, you shouldn't see any WARN log like below:
Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at
https://struts.apache.org/security/
- See if following components are still functioning correctly regarding java-scripts:
forms with client side validations
doubleselect
combobox - Check also
StreamResults
,AliasInterceptors
andJasperReportResults
if they are still working as expected.
Dependency
- [WW-5170] - Upgrade Jackson-Core to version 2.10.5 and Jackson-Databind to 2.10.5.1
- [WW-5172] - Upgrade freemarker to 2.3.31