I think probably give it 1 more month before releasing 6.4.0 as Atlassian should have collected any relevant feedback and have received the results of the security audit by then. I also have a handful more minor patches to contribute :)
On Fri, 9 Feb 2024 at 17:18, Lukasz Lenart <lukaszlen...@apache.org> wrote: > This is great news and thanks a lot for your contribution! Also it's > time to prepare a new release then :D > > Cheers > Lukasz > > pt., 9 lut 2024 o 03:31 Kusal Kithul-Godage > <kkithulgod...@atlassian.com.invalid> napisaĆ(a): > > > > Hi all, > > > > Atlassian is very excited to have shipped the Struts OGNL Allowlist and > > Parameter Annotation features in Confluence Data Center 8.8! We believe > it > > to be one of the greatest uplifts in Struts' security posture since its > > inception, and one which will ensure Struts remains a viable option for > web > > development. > > > > Whilst we await Atlassian customer and plugin vendor feedback, we've > > additionally commissioned an audit of the design and implementation by an > > external security firm. > > > > However, we'd really love for all Struts developers to test and provide > > feedback on these new capabilities ahead of their default enablement in > > Struts 7.0. To do so, please switch to the latest test build of Struts > 6.4 > > or 7.0 and enable the following options: > > > > - struts.parameters.requireAnnotations=true > > - struts.allowlist.enable=true > > > > Further information on configuring these capabilities can be found in > > the Struts > > Security doc > > < > https://struts.apache.org/security/#defining-and-annotating-your-action-parameters > > > > under the 'Defining and annotating your Action parameters' and 'Allowlist > > Capability' headings. > > > > Best regards, > > > > *KUSAL KITHUL-GODAGE* > > Software Engineer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >
