You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by rg...@apache.org on 2008/07/16 01:18:33 UTC
svn commit: r677084 - /struts/site/src/site/xdoc/index.xml
Author: rgielen
Date: Tue Jul 15 16:18:33 2008
New Revision: 677084
URL: http://svn.apache.org/viewvc?rev=677084&view=rev
Log:
Site updates for 2.0.11.2 GA
- describe the known issues with Struts 2.0.11.2
Modified:
struts/site/src/site/xdoc/index.xml
Modified: struts/site/src/site/xdoc/index.xml
URL: http://svn.apache.org/viewvc/struts/site/src/site/xdoc/index.xml?rev=677084&r1=677083&r2=677084&view=diff
==============================================================================
--- struts/site/src/site/xdoc/index.xml (original)
+++ struts/site/src/site/xdoc/index.xml Tue Jul 15 16:18:33 2008
@@ -70,9 +70,44 @@
</p>
<p>
- For changes included in Struts 2.0.11.2,
- see the <a href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html">release notes</a>.
- Struts 2.0.11.2 provides important security bugfixes since the 2.0.11.1 GA release.
+ For changes included in Struts 2.0.11.2,
+ see the <a href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html">release notes</a>.
+ Struts 2.0.11.2 provides important security bugfixes since the 2.0.11.1 GA release.
+ </p>
+ <p>
+ <b>IMPORTANT ADDITIONAL NOTES:</b>
+ <p/>
+ There are two known issues with this release:
+ <ol>
+ <li>
+ the integrated XWork 2.0.5 jar may cause problems when used in a combination of WebSphere 6.1 runtime environments with validation configuration via XML files.
+ Possible Workarounds:
+ <ul>
+ <li>use annotation based validation definition instead XML based</li>
+ <li>stay with Struts 2.0.11.1 including XWork 2.0.4, applying the following exclude rule to your parameter interceptor refs in struts.xml
+<pre>
+<interceptor-ref name="params">
+ <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
+</interceptor-ref>
+</pre>
+ </li>
+ </ul>
+ </li>
+ <li>
+ the filtering mechanism implemeted in XWork's ParametersInterceptor to fix the described security issue does not completely avoid any possible malicious parameter name.
+ Possible Workaround:
+ <ul>
+ <li>apply the following exclude rule to your parameter interceptor refs in struts.xml to avoid the usage of backslash charater in parameter names
+<pre>
+<interceptor-ref name="params">
+ <param name="excludeParams">.*\\.*</param>
+</interceptor-ref>
+</pre>
+ </li>
+ </ul>
+ </li>
+ </ol>
+ Both issues will be addressed in a soon upcoming XWork 2.0.6 release, followed by a new Struts 2.0 GA release including this new XWork version.
</p>
</subsection>