struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4849) ObjectFactory constructor signature change breaks extensions
Date Wed, 06 Sep 2017 05:53:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154843#comment-16154843
] 

Lukasz Lenart commented on WW-4849:
-----------------------------------

You can always just drop in the plugin itself, you do not need to upgrade the whole framework
(we must release the whole framework just because there is no way to release a plugin itself).
Also the plugin breaks backward compatibility anyway as there was no other way to fix the
vulnerability.

> ObjectFactory constructor signature change breaks extensions
> ------------------------------------------------------------
>
>                 Key: WW-4849
>                 URL: https://issues.apache.org/jira/browse/WW-4849
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 2.5.13
>            Reporter: Mitth'raw'nuruodo
>
> Commit {{6f91d0776a545c911ca4f2875ed9976614711ef9}} changed the signature of the {{ObjectFactory}}
constructor, breaking all classes that extend {{ObjectFactory}} (as per https://struts.apache.org/docs/objectfactory.html).
This affects eg the [{{guice-servlet}} Struts plugin| https://github.com/google/guice/blob/master/extensions/struts2/src/com/google/inject/struts2/Struts2Factory.java].
> This was not listed on the [2.5.13 version notes|https://struts.apache.org/docs/version-notes-2513.html]
as a breaking change, and breaking changes should preferably be avoided in critical security
updates.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message