DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
These are the notes for the Struts version 6.6.0 distribution.
For prior notes in this release series, see Version Notes 6.4.0
Maven users
If you are a Maven user, you might want to get started using the Maven Archetype.
Maven Dependency
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>6.6.0</version> </dependency>
You can also use Struts Archetype Catalog like below
Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Internal changes
Improved security by updating OGNL member access criteria, see WW-5417 and extending SecurityMemberAccess proxy detection to Hibernate proxies, see WW-5407.
We have also notably restricted the ability to invoke the static Enum method values() from OGNL expressions (WW-5418) due to its potential in escalating vulnerabilities. If you rely on this behaviour, you may re-expose such methods by wrapping it within a method on your Action class instead.
Bug
- [WW-5060] - Struts 2 Rest Plugin Conversion Issue
- [WW-5310] - s:url does not handle equal sign correctly
- [WW-5406] - Action excluded patterns are not updated following a configuration reload
- [WW-5414] - AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
- [WW-5415] - Struts2 Validator is failing in OGNL with constructor call
- [WW-5417] - Update OGNL member access criteria
- [WW-5418] - Forbid static access of Enums from OGNL expressions
- [WW-5418] - Forbid use of Apache Jasper classes in OGNL expressions
- [WW-5419] - Autoloading of tiles.xml fails in Struts-6.4.0
- [WW-5422] - I18nInterceptor and invalid locale
- [WW-5424] - ClassCastException with tag "set" when variable name has length=1
- [WW-5436] - Select tag NOT working when using list of org.apache.commons.beanutils.LazyDynaBean
- [WW-5437] - EnvsValueSubstitutor ignores Environment variables if default value is present
Improvement
- [WW-5250] - Address TODO in DefaultActionValidatorManagerTest
- [WW-5400] - CSP interceptor only allows very limited configuration
- [WW-5407] - Extend SecurityMemberAccess proxy detection to Hibernate proxies
- [WW-5408] - Add option to NOT fallback to empty namespace when unresolved
- [WW-5409] - Introduce final attribute to package elements which makes them unextendable
- [WW-5412] - Upgrade to Apache Struts Master 15
- [WW-5428] - Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set
- [WW-5429] - Log parameter annotation issues at ERROR level when in DevMode
- [WW-5431] - Mark as deprecated unused constants in FreemarkerManager
- [WW-5432] - Replace ClassTemplateLoader with WebappClassTemplateLoader
- [WW-5439] - Fix and clean up DevMode excluded class configuration
- [WW-5442] - Enforce allowlist for OgnlReflectionProvider
Dependency
- [WW-5420] - Upgrade commons-text to ver. 1.12.0
- [WW-5421] - Upgrade ASM to version 9.7
- [WW-5425] - Bump jackson.version from 2.16.1 to 2.17.1
- [WW-5426] - Upgrade Apache FreeMarker to version 2.3.33
- [WW-5434] - Bump commons-validator:commons-validator from 1.8.0 to 1.9.0
- [WW-5435] - Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5
- [WW-5441] - Bump net.sf.jasperreports:jasperreports from 6.21.0 to 6.21.3
- [WW-5443] - Bump Spring dependencies from 5.3.31 to 5.3.37