Versions Compared

Old Version 1

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Kusal Kithul-Godage

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(tick) These are the notes for the Struts version 6.56.0 distribution.

(tick) For prior notes in this release series, see Version Notes 6.4.0

Table of Contents

Maven users

If you are a Maven user, you might want to get started using the Maven Archetype.

Code Block
xml
xml
titleMaven Dependency
<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>6.56.0</version>
</dependency>

...

Code Block
languagetext
titleStruts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

Internal changes

Improved security by updating OGNL member access criteria, see WW-5417 and extending SecurityMemberAccess proxy detection to Hibernate proxies, see WW-5407.

We have also notably restricted the ability to access Enums statically from OGNL expressions (WW-5418) due to its potential in escalating vulnerabilities. If you rely on this behaviour, please access Enums using instance methods instead. You may choose to expose them via a method defined on your Action class.

Bug

  • [WW-5060] - Struts 2 Rest Plugin Conversion Issue
  • [WW-5310] - s:url does not handle equal sign correctly
  • [WW-5406] - Action excluded patterns are not updated following a configuration reload
  • [WW-5414] - AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
  • [WW-5415] - Struts2 Validator is failing in OGNL with constructor call
  • [WW-5417] - Update OGNL member access criteria
  • [WW-5418] - Forbid

...

  • static access of Enums from OGNL expressions
  • [WW-5418] - Forbid use of Apache Jasper classes in OGNL expressions
  • [WW-5419] - Autoloading of tiles.xml fails in Struts-6.4.0
  • [WW-5422] - I18nInterceptor and invalid locale
  • [WW-5424] - ClassCastException with tag "set" when variable name has length=1
  • [WW-5436] - Select tag NOT working when using list of org.apache.commons.beanutils.LazyDynaBean
  • [WW-5437] - EnvsValueSubstitutor ignores Environment variables if default value is present

Improvement

  • [WW-5250] - Address TODO in DefaultActionValidatorManagerTest
  • [WW-5400] - CSP interceptor only allows very limited configuration
  • [WW-5407] - Extend SecurityMemberAccess proxy detection to Hibernate proxies
  • [WW-5408] - Add option to NOT fallback to empty namespace when unresolved
  • [WW-5409] - Introduce final attribute to package elements which makes them unextendable
  • [WW-5412] - Upgrade to Apache Struts Master 15
  • [WW-5428] - Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set
  • [WW-5429] - Log parameter annotation issues at ERROR level when in DevMode
  • [WW-5431] - Mark as deprecated unused constants in FreemarkerManager
  • [WW-5432] - Replace ClassTemplateLoader with WebappClassTemplateLoader
  • [WW-5439] - Fix and clean up DevMode excluded class configuration
  • [WW-5442] - Enforce allowlist for OgnlReflectionProvider

Dependency

  • [WW-5420] - Upgrade commons-text to ver. 1.12.0
  • [WW-5421] - Upgrade ASM to version 9.7
  • [WW-5425] - Bump jackson.version from 2.16.1 to 2.17.1
  • [WW-5426] - Upgrade Apache FreeMarker to version 2.3.33
  • [WW-5434] - Bump commons-validator:commons-validator from 1.8.0 to 1.9.0
  • [WW-5435] - Bump org.apache.felix:org.apache.felix.main from 6.0.3 to 7.0.5
  • [WW-5441] - Bump net.sf.jasperreports:jasperreports from 6.21.0 to 6.21.3
  • [WW-5443] - Bump Spring dependencies from 5.3.31 to 5.3.37

Issue Detail

Issue List

Other resources

...