Even if probably it's not the best way to go, If you are not using includeParams all or get, you would not have to concern about S2-013 and S2-014.
Please, check your app against S2-015 [1]. [1] https://cwiki.apache.org/confluence/display/WW/S2-015 Maurizio Cucchiara On 4 June 2013 10:34, Shohji Mikami <smik...@nekonet.co.jp> wrote: > Struts 2 security report S2-014 strongly recommends upgrading Struts to > 2.3.14.2, but in our project current Struts 2.3.4.1 is difficult to upgrade. > Our project member verified the problem of S2-014 and found -- when the > includeParams="all" or "get" were not specified in s:url and s:a tag, no > malfunctioning behavior were seen. > I'd like to ask a question. As in our JSP application url/a tag neither > includeParams="all" nor includeParams="get" is specified, we'd like to avoid > upgrading Struts this time. Does this decision have a problem? > Regards > Shohji Mikami > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org