...
We have also notably restricted the ability to access Enums statically invoke the static Enum method values() from OGNL expressions (WW-5418) due to its potential in escalating vulnerabilities. If you rely on this behaviour, please access Enums using instance methods instead. You may choose to expose them via a method defined you may re-expose such methods by wrapping it within a method on your Action class instead.
Bug
- [WW-5060] - Struts 2 Rest Plugin Conversion Issue
- [WW-5310] - s:url does not handle equal sign correctly
- [WW-5406] - Action excluded patterns are not updated following a configuration reload
- [WW-5414] - AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
- [WW-5415] - Struts2 Validator is failing in OGNL with constructor call
- [WW-5417] - Update OGNL member access criteria
- [WW-5418] - Forbid static access of Enums from OGNL expressions
- [WW-5418] - Forbid use of Apache Jasper classes in OGNL expressions
- [WW-5419] - Autoloading of tiles.xml fails in Struts-6.4.0
- [WW-5422] - I18nInterceptor and invalid locale
- [WW-5424] - ClassCastException with tag "set" when variable name has length=1
- [WW-5436] - Select tag NOT working when using list of org.apache.commons.beanutils.LazyDynaBean
- [WW-5437] - EnvsValueSubstitutor ignores Environment variables if default value is present
...