Expanders 9
Version 9 of Expanders introduces support for Jakarta EE as part of an effort to support this across our entire ecosystem. This also marks the completion of the first phase of this migration, where the entire JEE base application stack is supported for both Java EE and Jakarta EE, including process automation.
Breaking change for Struts2
With this release of Expanders, we support both Struts2 6.x
and 7.x
to match the different versions of JEE. Since
Struts2 completely removed support for the fileUpload
interceptor in version 7, we've now also removed it from our
application stack. The reasoning behind this decision is that this interceptor was responsible for CVE-2024-53677
,
which has a score of 9.5
on the CVSS 4 scale. The alternative implementation using the actionFileUpload
interceptor
has been implemented across all of our expanders for several months now, but custom upload actions will also have to be
refactored to switch to the new system. Regrettably, the impact of this change will not be visible at compile time, so
care must be taking when upgrading to version 9 of Expanders.
Migration
The migration is fairly straight-forward and is described in this migration guide from Struts2: https://struts.apache.org/core-developers/action-file-upload-interceptor
An action that handles uploads should be modified by implementing the UploadedFilesAware
interface. With this
interface comes a method withUploadedFiles()
that should be implemented. To retain backwards compatibility with
existing implementations, it is possible to set the values of existing fields in the class from this method, which
were previously set dynamically by the old interceptor using reflection.
Below you will find a small sample of how we applied this migration to the AssetUploader
class.
public class AssetUploader extends ActionSupport {
private File uploadData; // the actual file
private String uploadDataContentType; // the content type of the file
private String uploadDataFileName; // the uploaded file name
public class AssetUploader extends ActionSupport implements UploadedFilesAware {
private File uploadData; // the actual file
private String uploadDataContentType; // the content type of the file
private String uploadDataFileName; // the uploaded file name
@Override
public void withUploadedFiles(List<UploadedFile> uploadedFiles) {
if (!uploadedFiles.isEmpty()) {
final UploadedFile uploadedFile = uploadedFiles.get(0);
this.uploadData = new File(uploadedFile.getAbsolutePath());
this.uploadDataContentType = uploadedFile.getContentType();
this.uploadDataFileName = uploadedFile.getOriginalName();
}
}