On Thu, February 16, 2006 9:45 am, Niall Pemberton said: > My view is that this is "security hole" that we are fixing, not adding > a new feature. I also think that the original RequestProcessor and > TilesRequestProcessor offer people a way of upgrading to 1.3 and use > tried and tested code - without having to adopt the CoR > implementation. > > Since I have implemented the Cancellable behaviour in the 1.2.x > branch, then either it needs also applying to the 1.3 branch or that > change needs to be reversed. > > We probably should release a Struts 1.2.9 to fix this issue and the > "DOS attack" issue and I am willing to do that - probably have time in > a couple of weeks.
+1 to Niall's comments, and therefore a non-binding -1 to tagging the repository... I don't see the point in even simply tagging if there are two outstanding security issues. By the way, I didn't catch the DOS hole... can someone point me at the appropriate ticket? > Niall Frank --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]