svn commit: r677084 - /struts/site/src/site/xdoc/index.xml

[rgielen]

Author: rgielen
Date: Tue Jul 15 16:18:33 2008
New Revision: 677084

URL: http://svn.apache.org/viewvc?rev=677084&view=rev
Log:
Site updates for 2.0.11.2 GA
- describe the known issues with Struts 2.0.11.2

Modified:
    struts/site/src/site/xdoc/index.xml

Modified: struts/site/src/site/xdoc/index.xml
URL: 
http://svn.apache.org/viewvc/struts/site/src/site/xdoc/index.xml?rev=677084&r1=677083&r2=677084&view=diff
==============================================================================
--- struts/site/src/site/xdoc/index.xml (original)
+++ struts/site/src/site/xdoc/index.xml Tue Jul 15 16:18:33 2008
@@ -70,9 +70,44 @@
             </p>
 
             <p>
-            For changes included in Struts 2.0.11.2,
-            see the <a 
href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html";>release 
notes</a>.
-            Struts 2.0.11.2 provides important security bugfixes since the 
2.0.11.1 GA release.
+                For changes included in Struts 2.0.11.2,
+                see the <a 
href="http://struts.apache.org/2.0.11.2/docs/release-notes-20112.html";>release 
notes</a>.
+                Struts 2.0.11.2 provides important security bugfixes since the 
2.0.11.1 GA release.
+            </p>
+            <p>
+                <b>IMPORTANT ADDITIONAL NOTES:</b>
+                <p/>
+                There are two known issues with this release:
+                <ol>
+                    <li>
+                        the integrated XWork 2.0.5 jar may cause problems when 
used in a combination of WebSphere 6.1 runtime environments with validation 
configuration via XML files.
+                        Possible Workarounds:
+                        <ul>
+                            <li>use annotation based validation definition 
instead XML based</li>
+                            <li>stay with Struts 2.0.11.1 including XWork 
2.0.4, applying the following exclude rule to your parameter interceptor refs 
in struts.xml
+<pre>
+&lt;interceptor-ref name="params"&gt;
+    &lt;param 
name="excludeParams"&gt;.*[[^\\p{Graph}][\\\\#:=]].*&lt;/param&gt;
+&lt;/interceptor-ref&gt;
+</pre>
+                            </li>
+                        </ul>
+                    </li>
+                    <li>
+                        the filtering mechanism implemeted in XWork's 
ParametersInterceptor to fix the described security issue does not completely 
avoid any possible malicious parameter name.
+                        Possible Workaround:
+                        <ul>
+                            <li>apply the following exclude rule to your 
parameter interceptor refs in struts.xml to avoid the usage of backslash 
charater in parameter names
+<pre>
+&lt;interceptor-ref name="params"&gt;
+    &lt;param name="excludeParams"&gt;.*\\.*&lt;/param&gt;
+&lt;/interceptor-ref&gt;
+</pre>
+                            </li>
+                        </ul>
+                    </li>
+                </ol>
+                Both issues will be addressed in a soon upcoming XWork 2.0.6 
release, followed by a new Struts 2.0 GA release including this new XWork 
version.
             </p>
             </subsection>