You can’t without changing the code. We’re using the latest available struts 1.x version, see https://struts.apache.org/download.cgi
We want to get rid of Struts but nobody has worked on this yet. The clean way of doing it would take about 30 days.
I did some quick analysis in the past of the work needed:
The work was started and made in a new module called “Resource API” (in a Maven xwiki-platform-resource module). Documentation for this Resource API is at https://extensions.xwiki.org/xwiki/bin/view/Extension/Resource%20API
The full refactoring would use this new API and remove the code depending on Struts by rewriting the code as XWiki Components (technically the big part of the work means converting Struts-based XWiki Actions into ResourceHandler Components).
FYI, right now XWiki already supports both Struts-based Actions and also ResourceHandler implementations as shown in the following architecture diagram:
Specifically this means doing the following work:
- Convert the 7 Struts Form beans - 1d
- Handle ability to forward to login.vm, deniedaccess.vm & userinactive.vm - 2d
- Convert the 52 Struts actions to Entity ResourceReferenceHandler - 20d
- Convert XWikiRequestProcessor - 1d
- Refactor XWikiAction accordingly - 1d
- Added missing features from the xwiki-platform-resource module - 2d
- Testing (including adding unit tests) and documentation updates - 3d
Total: 30 days of work.
Of course there’s also the option of working towards an upgrade from Struts 1.x to 2.x which is probably way less costly and maybe a more reasonable approach. However, in the end we’d like to remove Struts completely so I guess our preference would be to do… but it takes time. Someone needs to sponsor this (whether it’s a dev who would sponsor in his own free time, or a company like XWiki SAS sponsoring it, or some company using XWiki and wanting to participate to the development of it by contracting with XWiki SAS for example, etc).
One thing to do is to look into more details into the struts vulnerabilities and see if they affect XWiki or not and to what degree, since it’s probaby possible to secure that from around XWiki (with some nginx/apache config for ex).
Some food for thoughts…