Hi, Trying to drag a legacy app forward and running into a breaking change based on the fact that we're using struts2 to serve some JSPs from a directory outside our context root by taking advantage of the now-patched directory traversal exploit.
Essentially the action class is returning @Result(location="../../foo.jsp"). Previously this would be flattened from appName/web-inf/content/../../foo.jsp into appName/foo.jsp (I think by RequestUtil ?) but now it is not, so the StrictHttpFirewall isNormalized check fails. My question is if there's any way to configure our installation in some way to either identify the alternate directory as a root for these other jsps (while still functioning for the jsps that are correctly in web-inf/content) or to allow a specific directory traversal in some context. Appreciate any input! Alex
