Thanks Lukasz,
On Thu, Aug 30, 2018 at 10:03 AM Lukasz Lenart <lukaszlen...@apache.org> wrote: > czw., 30 sie 2018 o 10:40 Miguel Almeida <migueldealme...@gmail.com> > napisał(a): > > Out of curiosity, is the problem the conversion from List to XWorkList > > mentioned > > by Yasser > > < > https://issues.apache.org/jira/browse/WW-4954?focusedCommentId=16593382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16593382 > > > > ? > > Yes, XWorkList lays in a excluded package that cannot be used directly > in OGNL expressions. > > > Follow up questions: > > > > 1. What is the expected impact of this change? On our previous upgrade > from > > 34 to 35 our risk assessment determined no risk, based on the assumption > > that the change was backwards compatible. Since it is not (and we need to > > perform the additional change in struts.xml), can you tell us if there is > > any area we should worry about when upgrading? > > Hard to say, we extended the excluded packages to prevent unknown > feature vulnerabilities that can use those classes. It wasn't caused > by any security report. So changing struts.xml shouldn't be a problem. > > > 2. Should the logs have shown this? With devMode=true, I see no > difference > > in the logs from 34 to 35 > > You should see a WARN from the SecurityMemberAccess class (devMode is > not needed) > > > 3. Is it possible to change the release notes to tell about this > > incompatibility? Going forward, is there a way to improve the > compatibility > > assessments? > > Yes, we can change them and not sure what do you mean improving the > compatibility assessments? > I mean being able to provide some more information in the release notes that allows to spot backward incompatibilities more easily. I know this is a lot easier said than done, but the end goal is to improve accuracy of the backward compatibility assessments. Regards, Miguel > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >