struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel Almeida <migueldealme...@gmail.com>
Subject Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Date Thu, 30 Aug 2018 09:23:07 GMT
Thanks Lukasz,


On Thu, Aug 30, 2018 at 10:03 AM Lukasz Lenart <lukaszlenart@apache.org>
wrote:

> czw., 30 sie 2018 o 10:40 Miguel Almeida <migueldealmeida@gmail.com>
> napisał(a):
> > Out of curiosity, is the problem the conversion from List to XWorkList
> > mentioned
> > by Yasser
> > <
> https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382
> >
> > ?
>
> Yes, XWorkList lays in a excluded package that cannot be used directly
> in OGNL expressions.
>
> > Follow up questions:
> >
> > 1. What is the expected impact of this change? On our previous upgrade
> from
> > 34 to 35 our risk assessment determined no risk, based on the assumption
> > that the change was backwards compatible. Since it is not (and we need to
> > perform the additional change in struts.xml), can you tell us if there is
> > any area we should worry about when upgrading?
>
> Hard to say, we extended the excluded packages to prevent unknown
> feature vulnerabilities that can use those classes. It wasn't caused
> by any security report. So changing struts.xml shouldn't be a problem.
>
> > 2. Should the logs have shown this? With devMode=true, I see no
> difference
> > in the logs from 34 to 35
>
> You should see a WARN from the SecurityMemberAccess class (devMode is
> not needed)
>
> > 3. Is it possible to change the release notes to tell about this
> > incompatibility? Going forward, is there a way to improve the
> compatibility
> > assessments?
>
> Yes, we can change them and not sure what do you mean improving the
> compatibility assessments?
>

I mean being able to provide some more information in the release notes
that allows to spot backward incompatibilities more easily. I know this is
a lot easier said than done, but the end goal is to improve accuracy of the
backward compatibility assessments.
Regards,
Miguel

>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message