You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Miguel Almeida <mi...@gmail.com> on 2018/08/29 17:03:41 UTC
Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
We upgraded from 2.3.34 to 2.3.35 in one of our applications, but although
the upgrade is described as backwards compatible, we found a problem in the
UI.
The simplified example is as follows.
*Given* a JSP with:
<s:if test="#scopeValues.contains('Portuguese Things')">
foo<s:property value="#scopeValues"/>
</s:if>
<s:else>
bar<s:property value="#scopeValues"/>
</s:else>
*And *scopesValues was previously set (<s:set var="scopeValues"
value="scopes"></s:set>, where scopes is a List<String>scopes in the action)
*When* the List<String> scopes has [Portuguese Things, XXX]
*Then *the JSP will print: bar[Portuguese Things, XXX]
If I revert to 2.3.34:
*Then *the JSP will print: foo[Portuguese Things, XXX]
What could be causing this? Since this breaks one of our pages we are now
hesitant on what other places could break after the upgrade.
Kind regards,
Miguel
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Lukasz Lenart <lu...@apache.org>.
I've extended the bulletin to add a note about potential backward
compatibility issue.
https://cwiki.apache.org/confluence/display/WW/S2-057
Thanks & Regards
Łukasz
czw., 30 sie 2018 o 15:47 Lukasz Lenart <lu...@apache.org> napisał(a):
>
> czw., 30 sie 2018 o 11:23 Miguel Almeida <mi...@gmail.com> napisał(a):
> > I mean being able to provide some more information in the release notes
> > that allows to spot backward incompatibilities more easily. I know this is
> > a lot easier said than done, but the end goal is to improve accuracy of the
> > backward compatibility assessments.
>
> This is a new issue discovered once the announcement was sent, we are
> working to prepare new releases that will fix this incompatibility.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Lukasz Lenart <lu...@apache.org>.
czw., 30 sie 2018 o 11:23 Miguel Almeida <mi...@gmail.com> napisał(a):
> I mean being able to provide some more information in the release notes
> that allows to spot backward incompatibilities more easily. I know this is
> a lot easier said than done, but the end goal is to improve accuracy of the
> backward compatibility assessments.
This is a new issue discovered once the announcement was sent, we are
working to prepare new releases that will fix this incompatibility.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Miguel Almeida <mi...@gmail.com>.
Thanks Lukasz,
On Thu, Aug 30, 2018 at 10:03 AM Lukasz Lenart <lu...@apache.org>
wrote:
> czw., 30 sie 2018 o 10:40 Miguel Almeida <mi...@gmail.com>
> napisał(a):
> > Out of curiosity, is the problem the conversion from List to XWorkList
> > mentioned
> > by Yasser
> > <
> https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382
> >
> > ?
>
> Yes, XWorkList lays in a excluded package that cannot be used directly
> in OGNL expressions.
>
> > Follow up questions:
> >
> > 1. What is the expected impact of this change? On our previous upgrade
> from
> > 34 to 35 our risk assessment determined no risk, based on the assumption
> > that the change was backwards compatible. Since it is not (and we need to
> > perform the additional change in struts.xml), can you tell us if there is
> > any area we should worry about when upgrading?
>
> Hard to say, we extended the excluded packages to prevent unknown
> feature vulnerabilities that can use those classes. It wasn't caused
> by any security report. So changing struts.xml shouldn't be a problem.
>
> > 2. Should the logs have shown this? With devMode=true, I see no
> difference
> > in the logs from 34 to 35
>
> You should see a WARN from the SecurityMemberAccess class (devMode is
> not needed)
>
> > 3. Is it possible to change the release notes to tell about this
> > incompatibility? Going forward, is there a way to improve the
> compatibility
> > assessments?
>
> Yes, we can change them and not sure what do you mean improving the
> compatibility assessments?
>
I mean being able to provide some more information in the release notes
that allows to spot backward incompatibilities more easily. I know this is
a lot easier said than done, but the end goal is to improve accuracy of the
backward compatibility assessments.
Regards,
Miguel
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Lukasz Lenart <lu...@apache.org>.
czw., 30 sie 2018 o 10:40 Miguel Almeida <mi...@gmail.com> napisał(a):
> Out of curiosity, is the problem the conversion from List to XWorkList
> mentioned
> by Yasser
> <https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382>
> ?
Yes, XWorkList lays in a excluded package that cannot be used directly
in OGNL expressions.
> Follow up questions:
>
> 1. What is the expected impact of this change? On our previous upgrade from
> 34 to 35 our risk assessment determined no risk, based on the assumption
> that the change was backwards compatible. Since it is not (and we need to
> perform the additional change in struts.xml), can you tell us if there is
> any area we should worry about when upgrading?
Hard to say, we extended the excluded packages to prevent unknown
feature vulnerabilities that can use those classes. It wasn't caused
by any security report. So changing struts.xml shouldn't be a problem.
> 2. Should the logs have shown this? With devMode=true, I see no difference
> in the logs from 34 to 35
You should see a WARN from the SecurityMemberAccess class (devMode is
not needed)
> 3. Is it possible to change the release notes to tell about this
> incompatibility? Going forward, is there a way to improve the compatibility
> assessments?
Yes, we can change them and not sure what do you mean improving the
compatibility assessments?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Miguel Almeida <mi...@gmail.com>.
Hi Lukasz,
Thanks for your answer. Yes, it seems related, adding this constant works
around the issue.
Out of curiosity, is the problem the conversion from List to XWorkList
mentioned
by Yasser
<https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382>
?
Follow up questions:
1. What is the expected impact of this change? On our previous upgrade from
34 to 35 our risk assessment determined no risk, based on the assumption
that the change was backwards compatible. Since it is not (and we need to
perform the additional change in struts.xml), can you tell us if there is
any area we should worry about when upgrading?
2. Should the logs have shown this? With devMode=true, I see no difference
in the logs from 34 to 35
3. Is it possible to change the release notes to tell about this
incompatibility? Going forward, is there a way to improve the compatibility
assessments?
Kind regards,
Miguel
On Thu, Aug 30, 2018 at 7:21 AM Lukasz Lenart <lu...@apache.org>
wrote:
> śr., 29 sie 2018 o 19:04 Miguel Almeida <mi...@gmail.com>
> napisał(a):
> > *And *scopesValues was previously set (<s:set var="scopeValues"
> > value="scopes"></s:set>, where scopes is a List<String>scopes in the
> action)
>
> It is probably related to this issue
>
> https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593403&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16593403
>
> You can temporary use the posted workaround but we will fix that in
> incoming two minor releases.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Apache Struts 2.3.35 Upgrade - backward incompatibility in s:if
Posted by Lukasz Lenart <lu...@apache.org>.
śr., 29 sie 2018 o 19:04 Miguel Almeida <mi...@gmail.com> napisał(a):
> *And *scopesValues was previously set (<s:set var="scopeValues"
> value="scopes"></s:set>, where scopes is a List<String>scopes in the action)
It is probably related to this issue
https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593403&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16593403
You can temporary use the posted workaround but we will fix that in
incoming two minor releases.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org