DO NOT REPLY [Bug 22715] New: - tomcat-user.xml re-writing with xml entities

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22715>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22715

tomcat-user.xml re-writing with xml entities

           Summary: tomcat-user.xml re-writing with xml entities
           Product: Tomcat 4
           Version: 4.1.27
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: paul.extance@spirent.com


I'm using the UserDatabase (org.apache.catalina.UserDatabase /
org.apache.catalina.users.MemoryUserDatabaseFactory) as configured by default 
with Tomcat 4.1.27.

Our System admin made a basic XML error, and in tomcat-users.xml put and entry 
in like...

<user username="tomcat" password="tom&cat" roles="tomcat" />

Obviously the '&' makes this invalid XML, and tomcat doesn't start...

We changed the & to &amp; the XML was then valid, the user account worked, 
life was good....

A few days later, after he restarted the server, it was broke again...

Seems that when Tomcat re-wrote out the tomcat-users.xml file, instead of 
escaping the & and writing it back out as &amp; it just put it out a &, so we 
were back to square one!

Question:
1) Is this a bug? 
2) Can I stop the 're-writing' part of this as a work around?
3) Are XML entities not allowed in tomcat-users.xml?