View Source

These are the notes for the Struts 2.3.20 distribution.

For prior notes in this release series, see Version Notes 2.3.16.3

If you are a Maven user, you might want to get started using the Maven Archetype.
Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.3.20</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

Merged security fixes from version 2.3.16.1, 2.3.16.2, 2.3.16.3
Extended existing security mechanism to block access to given Java packages and Classes, see #11 or read Internal security mechanism
Collection Parameters for RedirectResults, WW-4224
Make ParametersInterceptor supports chinese in hash key by default, WW-4250
themes.properties can be loaded using ServletContext allows to put template folder under WEB-INF or on classpath, WW-4260
New tag datetextfield, WW-3493
Only valid Ognl expressions are cached, WW-4146
CustomTextProvider can be used for validation errors of model driven actions, WW-4202
datetimepicker's label fixed, WW-4254
PropertiesJudge removed and properties are checked in SecurityMemberAccess, WW-4257
resource reloading works in IBM JVM, WW-4266
default reloading settings were removed from default.properties, WW-4267
commons-fileupload library upgraded to version 1.3.1 to fix potential security vulnerability, WW-4286
The scheme attribute accepts expressions in s:url tag, WW-4024
Solves problem with infinite loop in FastByteArrayOutputStream, WW-4383
LocalizedTextUtil supports many ClassLoaders, WW-4379
Bill of Materials pom was introduced, WW-4326
debug=browser|console was migrated to jQuery, WW-4322
struts_dojo.js was fixed, WW-4349
interface org/apache/struts2/views/TagLibrary was restored and marked as @Depreacted, WW-4255
<s:hidden/> tag is wrapped with <tr/> and <td/> tags to match layout of other tags in xhtml theme, WW-4297
and many other small improvements, please see the release notes

Please read information about new internal security mechanism introduced with this version, it can have impact on your application! With version 2.3.20 new internal security mechanism was introduced, if you were setting excludeParams in your struts.xml you should remove it as this overlaps those patterns defined by the framework itself. Read more here.

This release contains fix related to S2-023 security bulletin, please read it carefully!

Issue Detail

JIRA Release Notes 2.3.20

Internal Changes

Issue Detail

Issue List

Other resources