pt., 10 sty 2025 o 16:41 Scott Hiland <sc...@ddblabs.com> napisał(a): > > Thank you to the dev team for the excellent work and to Lukasz for the 2.5 -> > 6 migration page. > > I wanted to make a contribution to the wiki regarding an upgrade issue we > encountered on an older system during our move from 2.5 to 6.7 due to the > file upload path traversal vulnerability. > > I didn't find a new account page on the Apache Confluence to request an > account or I'd be happy to do it myself. > > Our finding was that Struts OGNL expressions gained an imposed default > maximum length of 256 characters at some point between 2.5 -> 6, and in order > to avoid broken functionality from the upgrade, we had to add > struts.ognl.expressionMaxLength constant to our struts.xml and set it to > something slightly longer. > > https://struts.apache.org/security/#apply-a-maximum-allowed-length-on-ognl-expressions
Thanks for your findings, I added the following section. Please let me know if this works for you or rephrase it and I will update the section. https://cwiki.apache.org/confluence/display/WW/Struts+2.5+to+6.0.0+migration#Struts2.5to6.0.0migration-Limitedexpressionlength > How can I get a wiki account to mention it, or would someone rather update > the migration page to mention it as a potential issue? You can request access here https://selfserve.apache.org/confluence-account.html Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
