Version Notes 2.5.30

These are the notes for the Struts 2.5.30 distribution.

For prior notes in this release series, see Version Notes 2.5.29

• If you are a Maven user, you might want to get started using the Maven Archetype.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.5.30</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

Yasser's PR has been merged which contains a fix to double evaluation security vulnerability - it should solve any future attack vectors, yet it can impact your application if you have been depending on double evaluation.

How to test

• Run all your app tests, you shouldn't see any WARN log like below:

Expression [so-and-so] isn't allowed by pattern [so-and-so]! See Accepted / Excluded patterns at
https://struts.apache.org/security/

• See if following components are still functioning correctly regarding java-scripts:
  forms with client side validations
  doubleselect
  combobox
• Check also StreamResults, AliasInterceptors and JasperReportResults if they are still working as expected.

Dependency

• [WW-5170] - Upgrade Jackson-Core to version 2.10.5 and Jackson-Databind to 2.10.5.1
• [WW-5172] - Upgrade freemarker to 2.3.31

Issue Detail

• JIRA Release Notes 2.5.30

Issue List

• Struts 2.5.30 DONE
• Struts 2.5.x TODO

Other resources

• Commit Logs
• Source Code Repository