6.1 Release Notes - Version 1.5.0 Release Candidate 2

Introduction

This section contains release notes for changes that have taken place to Struts, since the Version 1.5.0 Release Candidate 1 distribution. To keep up-to-date on all changes to the framework, subscribe to the (commits at struts.apache.org) list. To preview our plans for upcoming changes, please visit the Roadmap page.

  • Notes on upgrading are maintained in the Wiki Upgrade pages. The wiki is a community maintained resource - please feel free to add your input so that everyone can benefit from the collective experience.

For the version requirements of each library, see the Installation chapter.

Breaking changes

  • Changes to FileUpload handling:
    • Method FormFile.destroy: throws an IOException.
    • Method MultipartRequestHandler.elementsFile: returns HashMap<String, FormFile[];> instead Hashtable<String, List<FormFile>>
    • Method MockMultipartRequestHandler.elementsFile: returns HashMap<String, FormFile[];> instead Hashtable<String, List<FormFile>>

Issue Tracking

Bug

  • Correct file-upload-example
  • Add missing "maven-release-plugin" 3.0.1
  • Add missing "maven-antrun-plugin" 3.1.0
  • Exclude "doc-files" from export-packages in "MANIFEST.MF"
  • Add "CVE-2008-2025" info to "README"
  • JS validate email remove useless regular-expression character escape
  • Correct OSGi/JPMS name from integration-test-apps

Improvement

  • Add "versions-maven-plugin" 2.16.2 for updates reports
  • Security - Digester: Resolving XML external entity in user-controlled data
  • Fix for "CVE-2023-49735" Apache Tiles: Unvalidated input may lead to path traversal and XXE
  • Fix for "CVE-2023-34396" Apache Struts vulnerable to memory exhaustion
  • Add filtering for Option "text" when "filter" is set to "true"
  • Ensure Input-/OutputStream is closed and use try-with-resources
  • Fix for Apache Struts "CVE-2012-1007" Multiple Cross Site Scripting Vulnerabilities (Sample apps)
  • Change cryptographic algorithm from "MD5" to "SHA-256" for token generation
  • Improvements in FileUpload handling
  • Add property "multiple" to "html:file", "html-el:file" and "nested:file"

Task

  • Bump "webdrivermanager" from 5.6.2 to 5.7.0
  • Bump "htmlunit" from 3.9.0 to 3.11.0
  • Bump "cargo-maven3-plugin" from 1.10.11 to 1.10.12
  • Bump "maven-jxr-plugin" from 3.3.1 to 3.3.2
  • Bump "checkstyle" from 10.12.6 to 10.14.0
  • Bump "junit-jupiter-api" from 5.10.1 to 5.10.2
  • Bump "slf4j-api", "slf4j-simple" and "jcl-over-slf4j" from 2.0.9 to 2.0.12
  • Bump "selenium-api" and "selenium-java" from 4.16.1 to 4.18.1
  • Bump "groovy" from 4.0.17 to 4.0.18
  • Bump "maven-failsafe/surefire-[report]-plugin" from 3.2.3 to 3.2.5
  • Add example for multiple-file-upload
  • Update "README.md" to version 1.5.0-RC2
  • Set Version to 1.5.0-RC2

Next: Installation