v7.0.0-M3

What's Changed

• various dependency updates for master by @sepe81 in #863
• WW-5391 Add interface for VelocityManager extension point by @kusalk in #867
• [WW-5390] Fixes generating assemblies during release process by @lukaszlenart in #868
• Fixes problem with failing file upload tests by @lukaszlenart in #869
• [WW-5384] Update log4j2 to 2.22.1 and [WW-5393] caffeine to 3.1.8 including error_prone_annotations > 2.10.0 which depends on Java 11 by @sepe81 in #870
• Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #875
• WW-5395 Bump commons-logging:commons-logging from 1.2 to 1.3.0 by @dependabot in #874
• WW-5394 Use request encoding by @aleksandr-m in #872
• [WW-5388] Fixes a few issues in Servlet 6 file upload usage by @lukaszlenart in #873
• s:file shows server/file location WW-5396 by @gregh3269 in #876
• Merge master to 7-x-x 2024-02-16 by @lukaszlenart in #877

Full Changelog: STRUTS_7_0_0_M2...STRUTS_7_0_0_M3

v7.0.0-M2

What's Changed

• Fixes excluding Plexus container in OWASP scan by @lukaszlenart in #858
• Drops JDK11 build and fixes duplicated steps by @lukaszlenart in #859
• Small spelling and MD fixes (IntelliJ assisted) by @sepe81 in #854
• Stops running sonar.yml on forks by @lukaszlenart in #862
• WW-5352 Introducing the StrutsParameter annotation by @kusalk in #832
• [WW-5360] Introduces additional countStr & indexStr to allow to ignore conversion by @lukaszlenart in #852
• [WW-5388] Uses the latest JakartaEE FileUpload Servlet 6 package by @lukaszlenart in #861
• Merge master into 7-0-x branch - 2024-02-01 by @lukaszlenart in #866

Dependencies

• Upgrade maven to 3.9.6 and wrapper to 3.2.0 by @sepe81 in #851
• Upgrade maven to 3.9.6 and wrapper to 3.2.0 (cherry-pick from 7.x) by @sepe81 in #853
• Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #855
• Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #864

Full Changelog: STRUTS_7_0_0_M1...STRUTS_7_0_0_M2

v7.0.0-M1

What's Changed

• Moves all CI notifications to commits@ list by @lukaszlenart in #748
• WW-5341 Ensure exclusion list applies to objects from all ClassLoaders by @kusalk in #741
• WW-5342 Add option to block use of default package by @kusalk in #742
• WW-5339 Misc clean up in CompoundRootAccessor and OgnlValueStackTest by @kusalk in #745
• WW-5340 Preliminary refactor of OgnlUtil by @kusalk in #746
• [WW-5346] replace BeanManager::createInjectionTarget by @hepptho in #754
• Split SonarCloud into separate action by @kusalk in #755
• WW-5340 Introducing OGNL Guard by @kusalk in #747
• WW-5348 Allow overriding of logging behaviour in DefaultAcceptedPatternsChecker by @kusalk in #757
• [WW-5347] Upgrades to commons-digester3 ver 3.2 by @lukaszlenart in #756
• [WW-5338] Removes deprecated OgnlTool by @lukaszlenart in #758
• [WW-5344] Un-deprecates Sitemesh plugin and upgrades Sitmesh to ver 2.5.0 by @lukaszlenart in #759
• WW-5340 Mild refactor StrutsOgnlGuard for easier subclassing by @kusalk in #760
• WW-5349 Remove Struts core dependency on OGNL VarRefs by @kusalk in #763
• Add JDK 21 build by @kusalk in #764
• WW-5354 Ensure ActionSupport fields are not parameter injectable by @kusalk in #765
• WW-5355 Integrate W-TinyLfu cache and use by default by @kusalk in #766
• Improved the StrutsUrlDecoder so that charset retrieval is performed only once. by @mygreen in #773
• WW-5358 Expand exclusion lists by @kusalk in #774
• WW-5350 Refactor SecurityMemberAccess by @kusalk in #780
• [WW-5333] Refactors AttributeMap by @lukaszlenart in #779
• Uses the new notifications@ list for all the messages form Github by @lukaszlenart in #788
• Send Jenkins notifications to the notifications@ list by @lukaszlenart in #790
• WW-5363 Velocity: read chained contexts before ValueStack by @kusalk in #789
• WW-5350 Implement OGNL Allowlist capability by @kusalk in #781
• WW-5363 Remove redundant method from VelocityManager by @kusalk in #793
• WW-5343 Make SecurityMemberAccess an extensible bean by @kusalk in #791
• WW-5364 Automatically populate OGNL allowlist by @kusalk in #800
• WW-5339 Add option to block custom OGNL maps by @kusalk in #806
• [WW-5370] Makes HttpParameters case-insensitive by @lukaszlenart in #807
• [WW-5371] Modern upload by @lukaszlenart in #808
• Rebase struts-7-0-x branch by @lukaszlenart in #809
• Builds Struts 7 as part of the main pipeline by @lukaszlenart in #813
• WW-5364 Add missing system allowlist classes by @kusalk in #815
• [WW-5373] Update JavaDoc CspReportAction.java by @assachs in #814
• [WW-5328] Removes deprecated setters by @lukaszlenart in #811
• JakartaEE modules by @lukaszlenart in #810
• [WW-5362] Removes type attribute out of <s:script/> tag by @lukaszlenart in #812
• WW-5378 Add option to NOT fallback to context lookup when finding value on OgnlValueStack by @kusalk in #821
• WW-5364 Add String.class to system allowlist by @kusalk in #828
• Upgrades Mockito to ver 5.8.0 by @lukaszlenart in #827
• WW-5381 Introduce RootAccessor interface for extension point by @kusalk in #823
• WW-5379 Implement alternative mechanism for Velocity directives to obtain ValueStack by @kusalk in #822
• WW-5352 Repackage ParametersInterceptor and related classes by @kusalk in #829
• WW-5381 Introduce extension point for CompoundRootAccessor by @kusalk in #824
• [WW-5383] Updates RegEx to excludes JARs by default by @lukaszlenart in #830
• [Struts 7] Merge master to 7xx by @lukaszlenart in #833
• Stops cleaning nightlies to allow to coexist different versions by @lukaszlenart in #834
• WW-5382 Fix stale injections in Dispatcher by @kusalk in #826
• WW-5381 Introduce extension point for MethodAccessor by @kusalk in #825
• WW-5352 Refactor ParametersInterceptor by @kusalk in #831
• Reduces log level to debug to reduce noise in the logs by @lukaszlenart in #838
• [WW-5365] Reverts changes introduced in WW-5192 to allow evaluate the value attribute of Radio tag by @lukaszlenart in #835
• WW-5352 Clean up OgnlValueStackTest by @kusalk in #841
• [WW-5387] Fixes remove() signature by @lukaszlenart in #844
• [WW-5369] Re-define minimal library set by @lukaszlenart in #847
• [WW-5374] Allows to prepend reportUri with Servlet context by @lukaszlenart in #845
• Extends sleep period to avoid breaking a build by @lukaszlenart in #849
• [WW-5357] Adds support for disabled attribute to anchor tag by @lukaszlenart in #848
• [Struts-7] Merge master to 7xx 2024-01-20 by @lukaszlenart in #850

Dependencies

• Bump actions/checkout from 3 to 4 by @dependabot in #751
• Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #752
• Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #753
• Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #762
• Bump org.jfree:jfreechart from 1.5.1 to 1.5.4 by @dependabot in #740
• Fix conflicting dependencies by @kusalk in #767
• Bump org.codehaus.mojo:versions-maven-plugin from 2.7 to 2.16.1 by @dependabot in #768
• Bump org.owasp:dependency-check-maven from 7.2.0 to 8.4.2 by @dependabot in #771
• Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #775
• Bump junit:junit from 4.13.1 to 4.13.2 by @dependabot in #776
• Bump org.jacoco:jacoco-maven-plugin from 0.8.8 to 0.8.11 by @dependabot in #777
• Bump slf4j.version from 2.0.7 to 2.0.9 by @dependabot in #783
• Bump net.sf.jasperreports:jasperreports from 6.20.5 to 6.20.6 by @dependabot in #784
• Bump jackson.version from 2.15.3 to 2.16.0 by @dependabot in #796
• Bump actions/setup-java from 3 to 4 by @dependabot in #804
• Bump github/codeql-action from 2 to 3 by @dependabot in #817
• Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #816
• Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 by @dependabot in #818
• Bump org.apache.maven.plugins:maven-release-plugin from 3.0.0-M1 to 3.0.1 by @dependabot in #837
• Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #842
• Bump org.apache.commons:commons-compress from 1.23.0 to 1.25.0 by @dependabot in #820

New Contributors

• @hepptho made their first contribution in #754
• @mygreen made their first contribution in #773
• @assachs made their first contribution in #814

Full Changelog: STRUTS_6_3_0...STRUTS_7_0_0_M1

Struts 2.5.33

What's changed

Version notes

Full Changelog: STRUTS_2_5_32...STRUTS_2_5_33

Struts 2.5.32

What's Changed

Version notes

Full Changelog: STRUTS_2_5_31...STRUTS_2_5_32

Struts 6.3.0

What's Changed

• [WW-5327] Stop using JavaBeans notation for setters in SecurityMemberAccess & MemberAccessValueStack by @lukaszlenart in #715
• [WW-5233] Include Apache Tiles code base in the Tiles plugin by @lukaszlenart in #608
• Update StreamResult.java - fix misspell by @ervinpm in #723
• WW-5332 Add validation for package name parsing by @kusalk in #726
• [WW-5327] Removes duplicated exclusion by @lukaszlenart in #729
• Uses Java 17 to perform Code Quality check by @lukaszlenart in #730
• WW-5334 Enable usage of junit-plugin inside velocity-plugin by @kusalk in #732
• [WW-5331] Uses proper signature of get() by @lukaszlenart in #727
• WW-5334 Extract ConventionJUnit4Test into correct module by @kusalk in #733
• Defines a proper CODEOWNERS file by @lukaszlenart in #728
• WW-5334 Misc VelocityManager code cleanup by @kusalk in #731
• WW-5337 Make SecurityMemberAccess exclusion checking more performant by @kusalk in #736
• WW-5336 Deprecate OgnlTool by @kusalk in #735
• WW-5334 Fix empty chained context names in VelocityManager by @kusalk in #744

Dependencies

• [WW-5315] Upgrades ASM to version 9.5 by @lukaszlenart in #695
• [WW-5316] Upgrades commons-io to version 2.13.0 by @lukaszlenart in #697
• [WW-5317] Upgrades log4j to version 2.20.0 by @lukaszlenart in #698
• upgrade Felix Maven Bundle Plugin by @hboutemy in #696
• Feature/update maven dependency plugin by @sepe81 in #699
• [WW-5318] Upgrades slf4j to version 2.0.7 by @lukaszlenart in #700
• Bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #702
• Bump actions/cache from 3.0.8 to 3.3.1 by @dependabot in #705
• Bump osgi.core from 7.0.0 to 8.0.0 by @dependabot in #701
• Bump stax2-api from 4.2 to 4.2.1 by @dependabot in #703
• Bump ossf/scorecard-action from 2.0.6 to 2.2.0 by @dependabot in #704
• Bump assertj-core from 3.15.0 to 3.24.2 by @dependabot in #707
• Bump jaxb-impl from 2.3.2 to 4.0.3 by @dependabot in #708
• Bump net.sf.jasperreports:jasperreports from 6.19.1 to 6.20.5 by @dependabot in #709
• Bump jackson.version from 2.14.1 to 2.15.2 by @dependabot in #713
• [WW-5325] Upgrades commons-lang3 to version 2.13.0 by @lukaszlenart in #714
• [WW-5329] Upgrades xstream to version 1.4.20 by @lukaszlenart in #721
• Drops duplicated dependency by @lukaszlenart in #737

New Contributors

• @ervinpm made their first contribution in #723

Full Changelog: STRUTS_6_2_0...STRUTS_6_3_0

Struts 6.2.0

What's Changed

• Updates OWASP suppressions as some reports are false positive by @lukaszlenart in #637
• Defines to autolink PRs to issues in ASF JIRA by @lukaszlenart in #638
• [WW-5263] Uses proper names for CSP, COOP and COEP interceptors by @lukaszlenart in #639
• [WW-5262] Extracts excluded classes and beans into dedicated XML config files by @lukaszlenart in #640
• WW-5199 Allow forwarding from/to actions by @kusalk in #642
• [WW-5264] Moves XSLT result into a dedicated plugin by @lukaszlenart in #641
• Applies permission to GH workflows by @lukaszlenart in #643
• [WW-5264] Removes XSLTResult from struts-default.xml as it was moved in to plugin by @lukaszlenart in #646
• WW-5265 Allow removal of a single/specific container provider by @kusalk in #645
• [WW-5269] Upgrades Jackson to version 2.14.1 by @lukaszlenart in #647
• [WW-5272] Extends <s:date/> to support java.sql.Time by @lukaszlenart in #649
• [WW-5277] Upgrades Freemarker to version 2.3.32 by @lukaszlenart in #651
• [WW-5274] Marks the Pell multipart plugin as deprecated by @lukaszlenart in #653
• [WW-5276] Cleans up also wrapper request to avoid resource leak and potential DoS attack by @lukaszlenart in #654
• [WW-4404] Http interceptor by @lukaszlenart in #655
• WW-5270 Fix forwarding from Struts excluded URL by @kusalk in #648
• WW-5278 Collect duplicated code into AbstractActionValidatorManager by @kusalk in #656
• WW-5279 Improve readability of XmlConfigurationProvider class by @kusalk in #657
• [WW-5275] Allows to provide a custom CspSettings per action by @lukaszlenart in #658
• WW-5284 Refactor ActionValidatorManager implementations by @kusalk in #659
• WW-5268 Ability to exempt classes from package exclusions by @kusalk in #660
• [WW-5285] Limits max number of files to upload at once by @lukaszlenart in #662
• WW-5290 Refactor ConfigurationManager by @kusalk in #666
• WW-5292 Allow overriding of Operations classes in two filter setup and assorted clean up by @kusalk in #667
• WW-5266 Implement struts.multipart.maxFileSize by @kusalk in #665
• WW-5196 use generics for RequestMap and ApplicationMap and correct SessionMap to also be of type <String, Object> by @sdutry in #585
• WW-5243 remove deprecated action prefix cross namespaces by @sdutry in #669
• WW-5253 Remove deprecated methods from DefaultUrlHelper by @sdutry in #671
• WW-5251 remove deprecated interfaces related to ServletConfigInterceptor by @sdutry in #670
• WW-5288 Make excluded package exemption logic more strict by @kusalk in #664
• WW-5293 Allow loading XML configuration from other than filesystem by @kusalk in #668
• Bump spring-core from 5.3.23 to 5.3.26 by @dependabot in #672
• [WW-5289] Fixes creating executor to avoid locking JVM on shutdown by @lukaszlenart in #673
• [WW-5295] Adds support for java.time.LocalTime to <s:date/> tag by @lukaszlenart in #677
• WW-5298 Clean up StrutsVelocityContext by @kusalk in #674
• WW-5299 Clean up ActionChainResult by @kusalk in #675
• WW-5300 Make Dispatcher methods overridable by @kusalk in #676
• WW-5308 Java templates plugin, add minlength and maxlength to textarea. by @gregh3269 in #683
• [WW-5280] Cleans up NoParameters interfaces by @lukaszlenart in #679
• [WW-5304] Drops deprecated methods and fields in ActionContext by @lukaszlenart in #680
• Improve [WW-4434] - add documentation and rename existing ftl to achieve the wanted behaviour by @fischey in #682
• Bump testng from 7.5 to 7.5.1 by @dependabot in #684
• [WW-5302] Evaluates the name attribute before assigning it to the id attribute by @lukaszlenart in #678
• Bump spring-core from 5.3.26 to 5.3.27 by @dependabot in #681
• [WW-5296] Uses proper DTDs by @lukaszlenart in #685
• [WW-5309] Supports patterns starting with variable by @lukaszlenart in #686
• WW-5301 Fix custom VelocityManager bean selection by @kusalk in #687
• [WW-5312] Attempt to fix ExecuteAndWaitInterceptor inconsistent processing by @JCgH4164838Gh792C124B5 in #688
• [WW-5310] Properly parses param value with equal sign by @lukaszlenart in #689
• WW-5288 follow-up test case updates by @JCgH4164838Gh792C124B5 in #690
• [WW-5261] Avoids creating ValueStack if no ActionContext is available by @lukaszlenart in #691
• WW-5314 Do not log warnings for bad user input from JakartaMultiPartRequest by @kusalk in #693
• [WW-5310] Supports fragment in URL by @lukaszlenart in #692

New Contributors

• @kusalk made their first contribution in #642
• @fischey made their first contribution in #682

Full Changelog: STRUTS_6_1_1...STRUTS_6_2_0

Struts 6.1.2.1

What's Changed

• Fixes addressing S2-063 & S2-064 by @yasserzamani

Full Changelog: STRUTS_6_1_2...STRUTS_6_1_2_1

Struts 2.5.31

What's Changed

• Fixes addressing S2-063 & S2-064 by @yasserzamani

Full Changelog: STRUTS_2_5_30...STRUTS_2_5_31

Struts 6.1.2

What's Changed

• [WW-5285] Limits max number of files to upload at once by @lukaszlenart in #662

Full Changelog: STRUTS_6_1_1...STRUTS_6_1_2