You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by GitBox <gi...@apache.org> on 2021/07/09 06:17:42 UTC

[GitHub] [struts] yasserzamani opened a new pull request #496: fix double evaluations

yasserzamani opened a new pull request #496:
URL: https://github.com/apache/struts/pull/496


   address known issues reported at https://securitylab.github.com/research/apache-struts-double-evaluation/


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

[GitHub] [struts] lukaszlenart commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-1067993790


   LGTM 👍 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] lukaszlenart commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-932733987


   Tests are the most important in this change as changing existing tests means you probably introduced breaking changes as users can depend on the buggy implementation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] lukaszlenart edited a comment on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart edited a comment on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-886046084


   I have a huge concern if such a big change should be introduced in a minor version like 2.5.27 - I'm ok with having it in 2.6 as this is natural to break backward comaptibility in a major version release. Users can be heavily impacted by these changes and won't be able update their apps.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [GitHub] [struts] yasserzamani opened a new pull request #496: fix double evaluations

Posted by Greg Huber <gr...@gmail.com>.

UIBean. 
<https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669ca>escape(String 
name)

// escape any possible values that can make the ID painful to work with 
in JavaScript

old : return name.replaceAll("[\\/\\.\\[\\]]", "_");

new: return name.replaceAll("[^a-zA-Z0-9_]", "_");

Isn't this all alpha/numeric now?

On 09/07/2021 07:17, GitBox wrote:
> yasserzamani opened a new pull request #496:
> URL: https://github.com/apache/struts/pull/496
>
>
>     address known issues reported at https://securitylab.github.com/research/apache-struts-double-evaluation/
>
>

Re: [GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by Lukasz Lenart <lu...@apache.org>.

czw., 17 mar 2022 o 13:10 Yasser Zamani <ya...@apache.org> napisał(a):
> > Yasser, can you add such notes to the Internal Changes section in the
> > Version Notes?
> > https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30
>
> Yes sure thanks for heads up! done :)

Great, thanks a lot and thanks for your patience :)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by Yasser Zamani <ya...@apache.org>.


On 3/17/2022 9:47 AM, Lukasz Lenart wrote:
> śr., 16 mar 2022 o 14:02 Yasser Zamani <ya...@apache.org> napisał(a):
>>
>> Hi Greg,
>>
>> Thanks for asking and testing!
>>
>> Firstly simply run all your app tests, you shouldn't see any WARN log
>> like "Expression blahblah isn't allowed by pattern blahblah! See
>> Accepted / Excluded patterns at
>> https://struts.apache.org/security/".
>>
>> Secondly see if your following components are functioning correctly
>> regarding java-scripts:
>> forms with client side validations
>> doubleselect
>> combobox
>>
>> Also check your StreamResults, AliasInterceptors and JasperReportResults
>> if you have.
> 
> Yasser, can you add such notes to the Internal Changes section in the
> Version Notes?
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30
> 
> 

Yes sure thanks for heads up! done :)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by Lukasz Lenart <lu...@apache.org>.

śr., 16 mar 2022 o 14:02 Yasser Zamani <ya...@apache.org> napisał(a):
>
> Hi Greg,
>
> Thanks for asking and testing!
>
> Firstly simply run all your app tests, you shouldn't see any WARN log
> like "Expression blahblah isn't allowed by pattern blahblah! See
> Accepted / Excluded patterns at
> https://struts.apache.org/security/".
>
> Secondly see if your following components are functioning correctly
> regarding java-scripts:
> forms with client side validations
> doubleselect
> combobox
>
> Also check your StreamResults, AliasInterceptors and JasperReportResults
> if you have.

Yasser, can you add such notes to the Internal Changes section in the
Version Notes?
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30


Thanks in advance
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by Yasser Zamani <ya...@apache.org>.

Hi Greg,

Thanks for asking and testing!

Firstly simply run all your app tests, you shouldn't see any WARN log 
like "Expression blahblah isn't allowed by pattern blahblah! See 
Accepted / Excluded patterns at
https://struts.apache.org/security/".

Secondly see if your following components are functioning correctly 
regarding java-scripts:
forms with client side validations
doubleselect
combobox

Also check your StreamResults, AliasInterceptors and JasperReportResults 
if you have.

Thanks in advance!

Regards.

On 3/16/2022 12:33 PM, Greg Huber wrote:
> Seems a lot in here, what should we look out for in testing?
> 
> On 15/03/2022 13:33, GitBox wrote:
>> lukaszlenart merged pull request #496:
>> URL: https://github.com/apache/struts/pull/496
>>
>>
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by Greg Huber <gr...@gmail.com>.

Seems a lot in here, what should we look out for in testing?

On 15/03/2022 13:33, GitBox wrote:
> lukaszlenart merged pull request #496:
> URL: https://github.com/apache/struts/pull/496
>
>
>     
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

[GitHub] [struts] lukaszlenart merged pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart merged pull request #496:
URL: https://github.com/apache/struts/pull/496


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-923241667


   @lukaszlenart I double checked and couldn't find any. Maybe to make it simpler just skip tests files review. Then you'll see obvious safe and nice changes. Test coverage is also increased 0.2%!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-904437256


   Thanks @lukaszlenart I see. For me that has spent plenty of time on it, I remember it was obviously safe changes, but please let me double check, I'll let you know.
   
   P.S. actually I like these changes for 2.5 because they improve Struts to behave better in currently publicly known double evaluation reports. It also contains small yet safe other improvements. Please consider it as an ordinary PR that somebody like to improve Struts. And please let me know any possibility of backward-compatibility issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] coveralls edited a comment on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

coveralls edited a comment on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-877038063


   
   [![Coverage Status](https://coveralls.io/builds/45770583/badge)](https://coveralls.io/builds/45770583)
   
   Coverage increased (+0.2%) to 47.553% when pulling **e7834d4345c73dedfd582e9a616dd7f37db6e0f2 on fix/double_evaluations_2_5** into **8d0382c34e2cd9fcb6a53cd9ab5f76d81b0104c8 on struts-2-5-x**.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-1016886548


   @aleksandr-m thanks for asking! Now by merging upstream into this branch by me, a test of TextField has two dynamic parameters set (one added by Lukasz). Then I saw that tests are passing with jdk7 and are failing with jdk8 and newer. Then I realized that different JDKs return different `order` for HashMap.entrySet(). So I changed to LinkedHashMap which keeps order to avoid a workaround like [click here](https://github.com/apache/struts/blob/8d0382c34e2cd9fcb6a53cd9ab5f76d81b0104c8/core/src/test/java/org/apache/struts2/views/freemarker/FreemarkerResultMockedTest.java#L121). Furthermore I think it's nice to keep dynamic attributes order same as added by user. And at bottom, LinkedHashMap is also a Map so I think it shouldn't be a breaking change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [GitHub] [struts] yasserzamani opened a new pull request #496: fix double evaluations

Posted by Greg Huber <gr...@gmail.com>.

...it now only allows alpha numeric and _.  Would this require some code 
refactoring?  Maybe a good thing?

On 09/07/2021 09:17, Yasser Zamani wrote:
> Hi Greg, thanks for reaching out!
>
> On ۱۴۰۰/۴/۱۸ ۱۲:۰۷, Greg Huber wrote:
>> UIBean. 
>> <https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669ca>escape(String 
>> name)
>>
>> // escape any possible values that can make the ID painful to work 
>> with in JavaScript
>>
>> old : return name.replaceAll("[\\/\\.\\[\\]]", "_");
>>
>> new: return name.replaceAll("[^a-zA-Z0-9_]", "_");
>>
>> Isn't this all alpha/numeric now?
>
> No it's all NOT alpha/numeric replaced with _ now. For more info 
> please refer to https://stackoverflow.com/q/67736476/1362623
>
> Regards.
>
>>
>> On 09/07/2021 07:17, GitBox wrote:
>>> yasserzamani opened a new pull request #496:
>>> URL: https://github.com/apache/struts/pull/496
>>>
>>>
>>>     address known issues reported at 
>>> https://securitylab.github.com/research/apache-struts-double-evaluation/ 
>>>
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] yasserzamani opened a new pull request #496: fix double evaluations

Posted by Yasser Zamani <ya...@apache.org>.

Hi Greg, thanks for reaching out!

On ۱۴۰۰/۴/۱۸ ۱۲:۰۷, Greg Huber wrote:
> UIBean. 
> <https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669ca>escape(String 
> name)
> 
> // escape any possible values that can make the ID painful to work with 
> in JavaScript
> 
> old : return name.replaceAll("[\\/\\.\\[\\]]", "_");
> 
> new: return name.replaceAll("[^a-zA-Z0-9_]", "_");
> 
> Isn't this all alpha/numeric now?

No it's all NOT alpha/numeric replaced with _ now. For more info please 
refer to https://stackoverflow.com/q/67736476/1362623

Regards.

> 
> On 09/07/2021 07:17, GitBox wrote:
>> yasserzamani opened a new pull request #496:
>> URL: https://github.com/apache/struts/pull/496
>>
>>
>>     address known issues reported at 
>> https://securitylab.github.com/research/apache-struts-double-evaluation/
>>
>>
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: [GitHub] [struts] yasserzamani opened a new pull request #496: fix double evaluations

Posted by Greg Huber <gr...@gmail.com>.

UIBean. 
<https://github.com/apache/struts/pull/496/files#diff-cfe644a2b24b492d6835fa1f38e7a770dad354b286cbe6b056a5fe7e80e669ca>escape(String 
name)

// escape any possible values that can make the ID painful to work with 
in JavaScript

old : return name.replaceAll("[\\/\\.\\[\\]]", "_");

new: return name.replaceAll("[^a-zA-Z0-9_]", "_");

Isn't this all alpha/numeric now?

On 09/07/2021 07:17, GitBox wrote:
> yasserzamani opened a new pull request #496:
> URL: https://github.com/apache/struts/pull/496
>
>
>     address known issues reported at https://securitylab.github.com/research/apache-struts-double-evaluation/
>
>

[GitHub] [struts] lukaszlenart commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-933290515


   My technical reason is very simply: this PR will be mixed in with other changes and if users start complain that something doesn't work after upgrade it can be very hard for us to figure out what's the core issue - this change or the other changes. If you want to you can prepare a strict security fix based on a STRUTS_2_5_26 tag and then release it separately. From my experience mixing security fixes with bug fixes isn't a good idea.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] aleksandr-m commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

aleksandr-m commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-1016868300


   @yasserzamani Why `dynamicAttributes` type is changed?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] coveralls commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

coveralls commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-877038063


   
   [![Coverage Status](https://coveralls.io/builds/41240972/badge)](https://coveralls.io/builds/41240972)
   
   Coverage increased (+0.2%) to 47.541% when pulling **8d6e26e0feb8cb1669f45a66e458860534b94571 on fix/double_evaluations_2_5** into **a96dd31be6bd16fd84ca3d683208cae8774d75b4 on struts-2-5-x**.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] lukaszlenart commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-932954782


   @yasserzamani me and @aleksandr-m expressed our concerns with introducing this change into the 2.5.x branch and you still ignore our votes and pushing your opinion. This not the the Apache way of collaborating.
   
   I have a suggestion, we can release the current state of the 2.5.x branch as Struts 2.5.27 and then introduce your change and release 2.5.28 which will contain only your change. I think this is the safest option we have.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-932938755


   @lukaszlenart I double checked and host of them are additions or just java language improvements. Existing tests' functional changes are:
   
   ```diff
   -assertEquals(bean.escape("hello!world"), "hello!world");
   -assertEquals(bean.escape("hello!@#$%^&*()world"), "hello!@#$%^&*()world");
   +assertEquals(bean.escape("hello!world"), "hello_world");
   +assertEquals(bean.escape("hello!@#$%^&*()world"), "hello__________world");
   ```
   which isn't a breaking changes because it's an Struts' internal change.
   ```diff
   -tag.setId("cb.bc");
   +tag.setId("cb['\".\"'] = bc(){};//");
   ```
   and consequently
   ```diff
   -<td class="tdLabel"><label for="cb.bc" class="label">mylabel:</label></td>
   +<td class="tdLabel"><label for="cb['&quot;.&quot;']=bc(){};//" class="label">mylabel:</label></td>
   ...
   -function autoPopulate_cb_bc(targetElement) {
   +function autoPopulate_cb__________bc_______(targetElement) {
   -<input type="text" name="foo" value="hello" id="cb.bc"/><br/>
   -<select onChange="autoPopulate_cb_bc(this);">
   +<input type="text" name="foo" value="hello" id="cb['&quot;.&quot;']=bc(){};//"/><br/>
   +<select onChange="autoPopulate_cb__________bc_______(this);">
   ```
   which isn't a breaking changes because it's an Struts' internal change.
   ```diff
   -        <input type="radio" name="myMap['name']" id="myMap_'name'_"value=""/>
   -        <label for="myMap_'name'_">N/A</label>
   -        <input type="radio" name="myMap['name']" id="myMap_'name'_Opt." value="Opt."/>
   -        <label for="myMap_'name'_Opt.">Opt.</label>
   -        <input type="radio" name="myMap['name']" id="myMap_'name'_Std." checked="checked" value="Std."/>
   -        <label for="myMap_'name'_Std.">Std.</label>
   +       <input type="radio" name="myMap['name']" id="myMap__name__"value=""/>
   +       <label for="myMap__name__">N/A</label>
   +       <input type="radio" name="myMap['name']" id="myMap__name__Opt." value="Opt."/>
   +       <label for="myMap__name__Opt.">Opt.</label>
   +       <input type="radio" name="myMap['name']" id="myMap__name__Std." checked="checked" value="Std."/>
   +       <label for="myMap__name__Std.">Std.</label>
   ```
   which isn't a breaking changes because it's an Struts' internal change.
   
   BTW can I merge at my own risk and responsibility? @apache/struts-committers 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-933258977


   I think its philosophy is [respectful, honest, technical-based interaction](https://www.apache.org/foundation/how-it-works.html#philosophy) not `concern-based` and technically we haven't any reason I think.
   
   But at bottom as per `respectful` OK 👍 I keep this PR open for the second next release :) thanks a lot for your contribution and comments!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] coveralls edited a comment on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

coveralls edited a comment on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-877038063


   
   [![Coverage Status](https://coveralls.io/builds/45764576/badge)](https://coveralls.io/builds/45764576)
   
   Coverage increased (+0.2%) to 47.553% when pulling **8a46e9313f296772b30f135912425a0e8b2e9844 on fix/double_evaluations_2_5** into **8d0382c34e2cd9fcb6a53cd9ab5f76d81b0104c8 on struts-2-5-x**.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] yasserzamani commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

yasserzamani commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-1016946352


   @aleksandr-m LinkedHashMap didn't help either. I just reverted it and instead I fixed (improved) the corresponding test to be able to verify against any of multiple possibilities.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [struts] lukaszlenart commented on pull request #496: fix double evaluations

Posted by GitBox <gi...@apache.org>.

lukaszlenart commented on pull request #496:
URL: https://github.com/apache/struts/pull/496#issuecomment-886046084


   I have a huge concern if such a big change should be introduced in a minor version like 2.5.27 - I'm ok with having it in 2.6 as this is natural to break backward comaptibility in a major version release. Users can be heavily impacted by this changes and won't be able update their apps.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@struts.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org