These are the notes for the Struts 2.3.29 distribution.
For prior notes in this release series, see Version Notes 2.3.28.1
- If you are a Maven user, you might want to get started using the Maven Archetype.
- Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
- There is huge number of examples you can also use as a starting point for you application here
Maven Dependency
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.3.29</version> </dependency>
You can also use Struts Archetype Catalog like below
Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
<repositories> <repository> <id>apache.nexus</id> <name>ASF Nexus Staging</name> <url>https://repository.apache.org/content/groups/staging/</url> </repository> </repositories>
Internal Changes
- Action name clean up is error prone S2-035
- Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) S2-036
- Remote Code Execution can be performed when using REST Plugin S2-037
- It is possible to bypass token validation and perform a CSRF attack S2-038
- Getter as action method leads to security bypass S2-039
- Input validation bypass using existing default action method S2-040
- Possible DoS attack when using URLValidator S2-041
- Fixed all reported issues related to new version of the Apache Tiles, see WW-4622, WW-4623, WW-4624
MessageStoreInterceptor
was extended to support 3rd-partyRedirectResult
subclasses, see WW-4618EmailValidator
supports.cat
domain, see WW-4626- and few other small improvements, please see the release notes