Version Notes 2.3.29

These are the notes for the Struts 2.3.29 distribution.

For prior notes in this release series, see Version Notes 2.3.28.1

• If you are a Maven user, you might want to get started using the Maven Archetype.
• Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
• There is huge number of examples you can also use as a starting point for you application here

<dependency>
  <groupId>org.apache.struts</groupId>
  <artifactId>struts2-core</artifactId>
  <version>2.3.29</version>
</dependency>

You can also use Struts Archetype Catalog like below

mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/

<repositories>
  <repository>
    <id>apache.nexus</id>
    <name>ASF Nexus Staging</name>
    <url>https://repository.apache.org/content/groups/staging/</url>
  </repository>
</repositories>

Internal Changes

•  Action name clean up is error prone S2-035
•  Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution (similar to S2-029) S2-036
•  Remote Code Execution can be performed when using REST Plugin S2-037
•  It is possible to bypass token validation and perform a CSRF attack S2-038
•  Getter as action method leads to security bypass S2-039
•  Input validation bypass using existing default action method S2-040
•  Possible DoS attack when using URLValidator S2-041
• Fixed all reported issues related to new version of the Apache Tiles, see WW-4622, WW-4623, WW-4624
• MessageStoreInterceptor was extended to support 3rd-party RedirectResult subclasses, see WW-4618
• EmailValidator supports .cat domain, see WW-4626
• and few other small improvements, please see the release notes

Issue Detail

• JIRA Release Notes 2.3.28

Issue List

• Struts 2.3.28 DONE
• Struts 2.3.x TODO

Other resources

• Commit Logs
• Source Code Repository