Versions Compared

Old Version 2

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version Current

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
xml
xml
titleStaging Repository
<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

  • (warning) Possible XSS vulnerability in pages not using UTF-8 was fixed, read more details in S2-028 Action name clean up is error prone S2-035
  • (warning) Forced double OGNL evaluation, when evaluated on raw (warning) Prevents possible RCE when reusing user input in tag 's attributes, see more details in may lead to remote code execution (similar to S2-029
  • Fixed all reported issues related to new version of the Apache Tiles, see WW-4622WW-4623WW-4624
  • MessageStoreInterceptor was extended to support 3rd-party RedirectResult subclasses, see WW-4618
  • EmailValidator supports .cat domain, see WW-4626
  • S2-036
  • (warning) Remote Code Execution can be performed when using REST Plugin S2-037
  • (warning) It is possible to bypass token validation and perform a CSRF attack S2-038
  • (warning) Getter as action method leads to security bypass S2-039
  • (warning) Input validation bypass using existing default action method S2-040
  • (warning) Possible DoS attack when using URLValidator S2-041
  • [WW-4608] - Json result type breaks
  • [WW-4618] - MessageStorePreResultListener doesn't store messages for 3rd-party RedirectResult subclasses
  • [WW-4622] - [struts2-tiles-plugin] [2.3.28] [StrutsWildcardServletTilesApplicationContext] getRealPath
  • [WW-4623] - Multiple tiles.xml in web.xml
  • [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
  • [WW-4626] - EmailValidator flags .cat emails as invalid
  • [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are serialized twice since jdk1.7_80
  • [WW-4629] - Tile definition Inheritance/overriding is broken in Struts2 tiles plugin 2.3.28+
  • [WW-4630] - <s:submit> generates a value attribute for type=image which violates W3C
  • [WW-4633] - ClassCastException while generating report using Struts 2.3.28 and jasperreports 4.5.1and few other small improvements, please see the release notes

 

Note

This release contains fix fixe related to S2-028035S2-036, S2-037, S2-038, S2-039, S2-029040 and S2-030041 security bulletins, please read it carefully!

Issue Detail

Issue List

...