Struts 6.4.0
What's Changed
- WW-5341 Ensure exclusion list applies to objects from all ClassLoaders by @kusalk in #741
- WW-5342 Add option to block use of default package by @kusalk in #742
- WW-5339 Misc clean up in CompoundRootAccessor and OgnlValueStackTest by @kusalk in #745
- WW-5340 Preliminary refactor of OgnlUtil by @kusalk in #746
- [WW-5346] replace BeanManager::createInjectionTarget by @hepptho in #754
- WW-5340 Introducing OGNL Guard by @kusalk in #747
- WW-5348 Allow overriding of logging behaviour in DefaultAcceptedPatternsChecker by @kusalk in #757
- [WW-5338] Removes deprecated OgnlTool by @lukaszlenart in #758
- [WW-5344] Un-deprecates Sitemesh plugin and upgrades Sitmesh to ver 2.5.0 by @lukaszlenart in #759
- WW-5340 Mild refactor StrutsOgnlGuard for easier subclassing by @kusalk in #760
- WW-5349 Remove Struts core dependency on OGNL VarRefs by @kusalk in #763
- WW-5354 Ensure ActionSupport fields are not parameter injectable by @kusalk in #765
- WW-5355 Integrate W-TinyLfu cache and use by default by @kusalk in #766
- Improved the StrutsUrlDecoder so that charset retrieval is performed only once. by @mygreen in #773
- WW-5358 Expand exclusion lists by @kusalk in #774
- WW-5350 Refactor SecurityMemberAccess by @kusalk in #780
- [WW-5333] Refactors AttributeMap by @lukaszlenart in #779
- WW-5363 Velocity: read chained contexts before ValueStack by @kusalk in #789
- WW-5350 Implement OGNL Allowlist capability by @kusalk in #781
- WW-5363 Remove redundant method from VelocityManager by @kusalk in #793
- WW-5343 Make SecurityMemberAccess an extensible bean by @kusalk in #791
- WW-5364 Automatically populate OGNL allowlist by @kusalk in #800
- WW-5339 Add option to block custom OGNL maps by @kusalk in #806
- [WW-5370] Makes HttpParameters case-insensitive by @lukaszlenart in #807
- [WW-5371] Modern upload by @lukaszlenart in #808
- WW-5364 Add missing system allowlist classes by @kusalk in #815
- [WW-5373] Update JavaDoc CspReportAction.java by @assachs in #814
- [WW-5328] Removes deprecated setters by @lukaszlenart in #811
- [WW-5362] Removes type attribute out of <s:script/> tag by @lukaszlenart in #812
- WW-5378 Add option to NOT fallback to context lookup when finding value on OgnlValueStack by @kusalk in #821
- WW-5364 Add String.class to system allowlist by @kusalk in #828
- WW-5381 Introduce RootAccessor interface for extension point by @kusalk in #823
- WW-5379 Implement alternative mechanism for Velocity directives to obtain ValueStack by @kusalk in #822
- WW-5352 Repackage ParametersInterceptor and related classes by @kusalk in #829
- WW-5381 Introduce extension point for CompoundRootAccessor by @kusalk in #824
- [WW-5383] Updates RegEx to excludes JARs by default by @lukaszlenart in #830
- WW-5382 Fix stale injections in Dispatcher by @kusalk in #826
- WW-5381 Introduce extension point for MethodAccessor by @kusalk in #825
- WW-5352 Refactor ParametersInterceptor by @kusalk in #831
- [WW-5365] Reverts changes introduced in WW-5192 to allow evaluate the value attribute of Radio tag by @lukaszlenart in #835
- WW-5352 Clean up OgnlValueStackTest by @kusalk in #841
- [WW-5387] Fixes remove() signature by @lukaszlenart in #844
- [WW-5369] Re-define minimal library set by @lukaszlenart in #847
- [WW-5374] Allows to prepend reportUri with Servlet context by @lukaszlenart in #845
- [WW-5357] Adds support for disabled attribute to anchor tag by @lukaszlenart in #848
- WW-5352 Introducing the StrutsParameter annotation by @kusalk in #832
- [WW-5360] Introduces additional countStr & indexStr to allow to ignore conversion by @lukaszlenart in #852
- WW-5391 Add interface for VelocityManager extension point by @kusalk in #867
- WW-5394 Use request encoding by @aleksandr-m in #872
- s:file shows server/file location WW-5396 by @gregh3269 in #876
- [WW-5401] Improves logging around wrapping request and detecting multipart request by @lukaszlenart in #892
- WW-5364 Fix potential NPE in XmlDocConfigurationProvider by @kusalk in #894
- WW-5251 Reinstate deleted interfaces with transparent compat by @kusalk in #898
- WW-5251 Fix deprecated interface method signature by @kusalk in #900
- WW-5402 Auto loads Tiles definitions from classpath by @lukaszlenart in #896
- WW-5390 Fixes creating assembly and attaching sources when preparing a new release by @lukaszlenart in #903
Dependencies
- Moves all CI notifications to commits@ list by @lukaszlenart in #748
- Bump actions/checkout from 3 to 4 by @dependabot in #751
- Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #752
- Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #753
- Split SonarCloud into separate action by @kusalk in #755
- [WW-5347] Upgrades to commons-digester3 ver 3.2 by @lukaszlenart in #756
- Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #762
- Bump org.jfree:jfreechart from 1.5.1 to 1.5.4 by @dependabot in #740
- Add JDK 21 build by @kusalk in #764
- Fix conflicting dependencies by @kusalk in #767
- Bump org.codehaus.mojo:versions-maven-plugin from 2.7 to 2.16.1 by @dependabot in #768
- Bump org.owasp:dependency-check-maven from 7.2.0 to 8.4.2 by @dependabot in #771
- Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #775
- Bump junit:junit from 4.13.1 to 4.13.2 by @dependabot in #776
- Bump org.jacoco:jacoco-maven-plugin from 0.8.8 to 0.8.11 by @dependabot in #777
- Bump slf4j.version from 2.0.7 to 2.0.9 by @dependabot in #783
- Bump net.sf.jasperreports:jasperreports from 6.20.5 to 6.20.6 by @dependabot in #784
- Uses the new notifications@ list for all the messages form Github by @lukaszlenart in #788
- Send Jenkins notifications to the notifications@ list by @lukaszlenart in #790
- Bump jackson.version from 2.15.3 to 2.16.0 by @dependabot in #796
- Bump actions/setup-java from 3 to 4 by @dependabot in #804
- Builds Struts 7 as part of the main pipeline by @lukaszlenart in #813
- Bump github/codeql-action from 2 to 3 by @dependabot in #817
- Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #816
- Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 by @dependabot in #818
- Stops cleaning nightlies to allow to coexist different versions by @lukaszlenart in #834
- Bump org.apache.maven.plugins:maven-release-plugin from 3.0.0-M1 to 3.0.1 by @dependabot in #837
- Reduces log level to debug to reduce noise in the logs by @lukaszlenart in #838
- Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #842
- Bump org.apache.commons:commons-compress from 1.23.0 to 1.25.0 by @dependabot in #820
- Extends sleep period to avoid breaking a build by @lukaszlenart in #849
- Upgrade maven to 3.9.6 and wrapper to 3.2.0 (cherry-pick from 7.x) by @sepe81 in #853
- Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #855
- Fixes excluding Plexus container in OWASP scan by @lukaszlenart in #858
- Drops JDK11 build and fixes duplicated steps by @lukaszlenart in #859
- Small spelling and MD fixes (IntelliJ assisted) by @sepe81 in #854
- Stops running sonar.yml on forks by @lukaszlenart in #862
- Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #864
- various dependency updates for master by @sepe81 in #863
- WW-5395 Bump commons-logging:commons-logging from 1.2 to 1.3.0 by @dependabot in #874
- Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #875
- Updates link to build status on Jenkins by @lukaszlenart in #878
- Bump org.apache.maven.doxia:doxia-core from 1.9.1 to 1.12.0 by @dependabot in #879
- Bump slf4j.version from 2.0.11 to 2.0.12 by @dependabot in #880
- Bump org.apache.maven.doxia:doxia-module-markdown from 1.9.1 to 1.12.0 by @dependabot in #883
- Bump maven-surefire-plugin.version from 3.0.0-M7 to 3.2.5 by @dependabot in #886
- Converts multiple file uploads example to use Action based upload by @lukaszlenart in #895
- Enables required review by codeowners by @lukaszlenart in #899
- Uses proper context name in branch protection rule by @lukaszlenart in #901
- WW-5397 Bump net.sf.jasperreports:jasperreports from 6.20.6 to 6.21.0 by @dependabot in #843
- WW-5398 Bump commons-validator:commons-validator from 1.6 to 1.8.0 by @dependabot in #882
- [WW-5399] Bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0 by @dependabot in #884
- WW-5404 Bump log4j2.version from 2.21.1 to 2.23.1 by @dependabot in #902
New Contributors
- @hepptho made their first contribution in #754
- @mygreen made their first contribution in #773
- @assachs made their first contribution in #814
Full Changelog: STRUTS_6_3_0...STRUTS_6_4_0