czw., 30 sie 2018 o 10:40 Miguel Almeida <migueldealme...@gmail.com> napisał(a): > Out of curiosity, is the problem the conversion from List to XWorkList > mentioned > by Yasser > <https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382> > ?
Yes, XWorkList lays in a excluded package that cannot be used directly in OGNL expressions. > Follow up questions: > > 1. What is the expected impact of this change? On our previous upgrade from > 34 to 35 our risk assessment determined no risk, based on the assumption > that the change was backwards compatible. Since it is not (and we need to > perform the additional change in struts.xml), can you tell us if there is > any area we should worry about when upgrading? Hard to say, we extended the excluded packages to prevent unknown feature vulnerabilities that can use those classes. It wasn't caused by any security report. So changing struts.xml shouldn't be a problem. > 2. Should the logs have shown this? With devMode=true, I see no difference > in the logs from 34 to 35 You should see a WARN from the SecurityMemberAccess class (devMode is not needed) > 3. Is it possible to change the release notes to tell about this > incompatibility? Going forward, is there a way to improve the compatibility > assessments? Yes, we can change them and not sure what do you mean improving the compatibility assessments? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
