struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Date Thu, 30 Aug 2018 09:03:19 GMT
czw., 30 sie 2018 o 10:40 Miguel Almeida <> napisał(a):
> Out of curiosity, is the problem the conversion from List to XWorkList
> mentioned
> by Yasser
> <>
> ?

Yes, XWorkList lays in a excluded package that cannot be used directly
in OGNL expressions.

> Follow up questions:
> 1. What is the expected impact of this change? On our previous upgrade from
> 34 to 35 our risk assessment determined no risk, based on the assumption
> that the change was backwards compatible. Since it is not (and we need to
> perform the additional change in struts.xml), can you tell us if there is
> any area we should worry about when upgrading?

Hard to say, we extended the excluded packages to prevent unknown
feature vulnerabilities that can use those classes. It wasn't caused
by any security report. So changing struts.xml shouldn't be a problem.

> 2. Should the logs have shown this? With devMode=true, I see no difference
> in the logs from 34 to 35

You should see a WARN from the SecurityMemberAccess class (devMode is
not needed)

> 3. Is it possible to change the release notes to tell about this
> incompatibility? Going forward, is there a way to improve the compatibility
> assessments?

Yes, we can change them and not sure what do you mean improving the
compatibility assessments?

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message