View Source

These are the notes for the Struts 2.5.13 distribution.

For prior notes in this release series, see Version Notes 2.5.12

If you are a Maven user, you might want to get started using the Maven Archetype.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.5.13</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see S2-050
A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see S2-051
Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see S2-052

Bug

[WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped
[WW-4813] - NP with TextProvider and wildcardmapping
[WW-4817] - Threads get blocked due to unnecessary synchronization in OgnlRuntime
[WW-4818] - Default Multipart validation regex is invalid
[WW-4827] - Not fully initialized ObjectFactory tries to create beans
[WW-4828] - http://struts.apache.org/dtds/struts-2.5.dtd missing
[WW-4829] - Set a global resource bundle in class
[WW-4830] - Override TextProvider doesnot work in struts 2.5.12
[WW-4831] - Array-of-null parameters are converted to string "null"
[WW-4839] - JakartaStreamMultiPartRequest Should Honor "struts.multipart.maxSize"
[WW-4840] - Build Fails Due to Unused com.sun Import
[WW-4841] - Struts2.5.12 - NPE in DeligatingValidatorContext
[WW-4842] - Struts 2 Fails to Initialize with JRebel

Improvement

[WW-4808] - Allow define more than one Action suffix
[WW-4823] - Remove jQuery from debugging interceptor views
[WW-4824] - update dependencies page on the struts site
[WW-4834] - Improve RegEx used to validate URLs
[WW-4835] - Make REST ContentHandlers configurable
[WW-4838] - expose Freemarker incompatible_improvements into FreemarkerManager and StrutsBeansWrapper

Dependency

[WW-4819] - Upgrade Commons Collections to 3.2.2
[WW-4821] - Upgrade Commons IO to 2.5
[WW-4826] - Upgrade to ASM version 5.2
[WW-4833] - Upgrade to OGNL 3.1.15
[WW-4836] - Upgrade xstream to the latest version
[WW-4844] - Upgrade to struts-master 11

This release contains fixes related to S2-050, S2-051 and S2-052 - please read them carefully!

Issue Detail

JIRA Release Notes 2.5.13

Internal Changes

Bug

Improvement

Dependency

Issue List

Other resources