On 2/16/06, Ted Husted <[EMAIL PROTECTED]> wrote: > I've now tested the applications with the legacy RP and updated the > Release Notes as to the new "Opt-In Cancel Handler". > > As this point, I'd rather not update the legacy RP to support Opt-In > Cancel Handling. If we make any further changes to this feature, or > any other new feature, we'd have to maintain the code in two places. > As long as the behavior gracefully degrades, it seems reasonable to me > to add new features to the new RequestProcessor and leaving the legacy > RP alone (unless the 1.2.x branch is also going to be released - but > no one has volunteered to do that). If people want access to features > new to 1.3, they can use the new RP. If the new CRP passes muster and > remains the default for 1.3.1, we should move the legacy RP to > "extras" and deprecate it.
My view is that this is "security hole" that we are fixing, not adding a new feature. I also think that the original RequestProcessor and TilesRequestProcessor offer people a way of upgrading to 1.3 and use tried and tested code - without having to adopt the CoR implementation. Since I have implemented the Cancellable behaviour in the 1.2.x branch, then either it needs also applying to the 1.3 branch or that change needs to be reversed. We probably should release a Struts 1.2.9 to fix this issue and the "DOS attack" issue and I am willing to do that - probably have time in a couple of weeks. > If this change prompts anyone to change their vote, please chime-in > now. A release plan is a majority vote, so we need three binding +1s > from PMC members and more binding +1s than -1s. A +1 here is on the > tagging the repository. A quality vote would follow once the test > builds are posted. I realize the plan vote and quality vote are separte issues, but IMO the DOS attack bug is v.serious - you can stop a whole web app from working using it - and I don't understand why were not fixing it in 1.3.0. IMO 1.3.0 is never going to be more than a beta with this "DOS attack" bug - or with the original request processor "cancellable" security hole. Both are really bad. Niall > -Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
