struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re:[VOTE] [FAST TRACK] Struts
Date Wed, 16 Oct 2013 13:51:35 GMT
Thanks Lukasz.
This is not a vote, but additional questions.
> After upgrading to Struts, applications using the "action:" will stop working.

We still want the "action:" works if possible, so we have added

* struts.mapper.action.prefix.enabled
* struts.mapper.action.prefix.crossNamespaces

into (or struts.xml) and set their value true as suggested as "Backward
But "action:" did not seem to work under environment against our expectation.
(Not 404 error like, but transit to the same page.)

(Q1) Are those additional constants effective as mentioned in new S2-018?
(Q2) Assume that the backward compatibility works, can we expect that applying with
setting the additional constants true is still valuable as a solution to the problem "Broken
Access Control Vulnerability" targeted in S2-018?

Best regards.
Yuki Sugawara


>Subject: [!][VOTE] [FAST TRACK] Struts
>Date: 2013/10/16 05:59
>Attribute: None
>The Struts test build is now available. It includes the
>latest security patch which fix possible vulnerability.
>For details and the rationale behind these changes, please consult the
>corresponding security bulletins:
>Release notes:
>* []
>* []
>Maven 2 staging repository:
>* []
>Once you have had a chance to review the test build, please respond
>with a vote on its quality:
>[ ] Leave at test build
>[ ] Alpha
>[ ] Beta
>[ ] General Availability (GA)
>Everyone who has tested the build is invited to vote. Votes by PMC
>members are considered binding. A vote passes if there are at least
>three binding +1s and more +1s than -1s.
>This is a "fast-track" release vote. If we have a positive vote after
>24 hours (at least three binding +1s and more +1s than -1s),  the
>release may be submitted for mirroring and announced to the usual
>The website download link will include the mirroring timestamp
>parameter [1], which limits the selection of mirrors to those that
>have been refreshed since the indicated time and date. (After 24
>hours, we *must* remove the timestamp parameter from the website link,
>to avoid unnecessary server load.) In the case of a fast-track
>release, the email announcement will not link directly to
><download.cgi>, but to <downloads.html>, so that we can control use of
>the timestamp parameter.
>- The Apache Struts group.
>+ 48 606 323 122
>To unsubscribe, e-mail:
>For additional commands, e-mail:
View raw message