You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by rg...@apache.org on 2008/07/16 01:18:33 UTC

svn commit: r677084 - /struts/site/src/site/xdoc/index.xml

Author: rgielen
Date: Tue Jul 15 16:18:33 2008
New Revision: 677084

URL: http://svn.apache.org/viewvc?rev=677084&view=rev
Log:
Site updates for 2.0.11.2 GA
- describe the known issues with Struts 2.0.11.2

Modified:
    struts/site/src/site/xdoc/index.xml

Modified: struts/site/src/site/xdoc/index.xml
URL: http://svn.apache.org/viewvc/struts/site/src/site/xdoc/index.xml?rev=677084&r1=677083&r2=677084&view=diff
==============================================================================
--- struts/site/src/site/xdoc/index.xml (original)
+++ struts/site/src/site/xdoc/index.xml Tue Jul 15 16:18:33 2008
@@ -70,9 +70,44 @@
             </p>
 
             <p>
-            For changes included in Struts 2.0.11.2,
-            see the <a href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html">release notes</a>.
-            Struts 2.0.11.2 provides important security bugfixes since the 2.0.11.1 GA release.
+                For changes included in Struts 2.0.11.2,
+                see the <a href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html">release notes</a>.
+                Struts 2.0.11.2 provides important security bugfixes since the 2.0.11.1 GA release.
+            </p>
+            <p>
+                <b>IMPORTANT ADDITIONAL NOTES:</b>
+                <p/>
+                There are two known issues with this release:
+                <ol>
+                    <li>
+                        the integrated XWork 2.0.5 jar may cause problems when used in a combination of WebSphere 6.1 runtime environments with validation configuration via XML files.
+                        Possible Workarounds:
+                        <ul>
+                            <li>use annotation based validation definition instead XML based</li>
+                            <li>stay with Struts 2.0.11.1 including XWork 2.0.4, applying the following exclude rule to your parameter interceptor refs in struts.xml
+<pre>
+&lt;interceptor-ref name="params"&gt;
+    &lt;param name="excludeParams"&gt;.*[[^\\p{Graph}][\\\\#:=]].*&lt;/param&gt;
+&lt;/interceptor-ref&gt;
+</pre>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        the filtering mechanism implemeted in XWork's ParametersInterceptor to fix the described security issue does not completely avoid any possible malicious parameter name.
+                        Possible Workaround:
+                        <ul>
+                            <li>apply the following exclude rule to your parameter interceptor refs in struts.xml to avoid the usage of backslash charater in parameter names
+<pre>
+&lt;interceptor-ref name="params"&gt;
+    &lt;param name="excludeParams"&gt;.*\\.*&lt;/param&gt;
+&lt;/interceptor-ref&gt;
+</pre>
+                            </li>
+                        </ul>
+                    </li>
+                </ol>
+                Both issues will be addressed in a soon upcoming XWork 2.0.6 release, followed by a new Struts 2.0 GA release including this new XWork version.
             </p>
             </subsection>