[jira] Resolved: (WW-2389) struts-tags.tld forbids all JSP runtime expressions in 2.0.11

[Don Brown (JIRA)]

     [ 
https://issues.apache.org/struts/browse/WW-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Don Brown resolved WW-2389.
---------------------------

    Resolution: Not A Problem
      Assignee: Don Brown

The change fixes a security vulnerability talked bout in WW-2107 

> struts-tags.tld forbids all JSP runtime expressions in 2.0.11
> -------------------------------------------------------------
>
>                 Key: WW-2389
>                 URL: https://issues.apache.org/struts/browse/WW-2389
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Expression Language
>    Affects Versions: 2.0.11
>            Reporter: Wolfgang Knauf
>            Assignee: Don Brown
>            Priority: Critical
>
> In 2.0.9, struts-tags.tld allowed runtime expressions.
> E.g. the "s:if" tag:
>   <tag>
>     <name>if</name>
>     ....
>     <attribute>
>       <name>test</name>
>       <required>true</required>
>       <rtexprvalue>true</rtexprvalue>
>       ....
>     </attribute>
> In 2.0.11, all "rtexprvalue" are set to FALSE (not even one "true" in the 
> whole file).
>     <attribute>
>       <name>test</name>
>       <required>true</required>
>       <rtexprvalue>false</rtexprvalue>
>       ...
>     </attribute>
> None of the jira issues from 2.0.10/2.0.11 relate to this, so I consider it a 
> major regression.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.