You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/03/18 10:54:55 UTC
svn commit: r1578804 - in /tomcat/tc6.0.x/trunk: ./
java/org/apache/catalina/core/ java/org/apache/jasper/
java/org/apache/jasper/compiler/ webapps/docs/ webapps/docs/config/
Author: markt
Date: Tue Mar 18 09:54:55 2014
New Revision: 1578804
URL: http://svn.apache.org/r1578804
Log:
Make the xmlBlockExternal option in Catalina and Jasper to be true by default. Patch by kkolinko.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationContext.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/JspC.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspConfig.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagPluginManager.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TldLocationsCache.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue Mar 18 09:54:55 2014
@@ -28,12 +28,6 @@ None
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Make the xmlBlockExternal option in Catalina and Jasper to be true by default.
- https://people.apache.org/~kkolinko/patches/2014-02-17_tc6_xmlBlockExternalTrue.patch
- (backport of r1564747)
- +1: kkolinko, markt, remm
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56208
Restore validateXml option in Jasper.
Motivation: It is mentioned in documentation and some users complained on
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationContext.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationContext.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/ApplicationContext.java Tue Mar 18 09:54:55 2014
@@ -260,9 +260,7 @@ public class ApplicationContext
return "true";
}
if (Globals.JASPER_XML_BLOCK_EXTERNAL_INIT_PARAM.equals(name)) {
- if (context.getXmlBlockExternal()) {
- return "true";
- } else if (Globals.IS_SECURITY_ENABLED) {
+ if (!context.getXmlBlockExternal()) {
// System admin has explicitly changed the default
return "false";
}
@@ -293,7 +291,7 @@ public class ApplicationContext
if (context.getTldValidation()) {
names.add(Globals.JASPER_XML_VALIDATION_TLD_INIT_PARAM);
}
- if (context.getXmlBlockExternal() || Globals.IS_SECURITY_ENABLED) {
+ if (!context.getXmlBlockExternal()) {
names.add(Globals.JASPER_XML_BLOCK_EXTERNAL_INIT_PARAM);
}
return Collections.enumeration(names);
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Tue Mar 18 09:54:55 2014
@@ -651,7 +651,7 @@ public class StandardContext
/**
* Attribute used to turn on/off the use of external entities.
*/
- private boolean xmlBlockExternal = Globals.IS_SECURITY_ENABLED;
+ private boolean xmlBlockExternal = true;
/**
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/JspC.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/JspC.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/JspC.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/JspC.java Tue Mar 18 09:54:55 2014
@@ -125,6 +125,7 @@ public class JspC extends Task implement
protected static final String SWITCH_DUMP_SMAP = "-dumpsmap";
protected static final String SWITCH_VALIDATE_TLD = "-validateTld";
protected static final String SWITCH_BLOCK_EXTERNAL = "-blockExternal";
+ protected static final String SWITCH_NO_BLOCK_EXTERNAL = "-no-blockExternal";
protected static final String SHOW_SUCCESS ="-s";
protected static final String LIST_ERRORS = "-l";
protected static final int INC_WEBXML = 10;
@@ -145,7 +146,7 @@ public class JspC extends Task implement
protected boolean trimSpaces = false;
protected boolean genStringAsCharArray = false;
protected boolean validateTld;
- protected boolean blockExternal;
+ protected boolean blockExternal = true;
protected boolean xpoweredBy;
protected boolean mappedFile = false;
protected boolean poolingEnabled = true;
@@ -358,6 +359,8 @@ public class JspC extends Task implement
setValidateTld(true);
} else if (tok.equals(SWITCH_BLOCK_EXTERNAL)) {
setBlockExternal(true);
+ } else if (tok.equals(SWITCH_NO_BLOCK_EXTERNAL)) {
+ setBlockExternal(false);
} else {
if (tok.startsWith("-")) {
throw new JasperException("Unrecognized option: " + tok +
@@ -1447,9 +1450,8 @@ public class JspC extends Task implement
if (isValidateTld()) {
context.setInitParameter(Constants.XML_VALIDATION_TLD_INIT_PARAM, "true");
}
- if (isBlockExternal()) {
- context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM, "true");
- }
+ context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM,
+ String.valueOf(isBlockExternal()));
rctxt = new JspRuntimeContext(context, this);
jspConfig = new JspConfig(context);
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java Tue Mar 18 09:54:55 2014
@@ -134,7 +134,7 @@ class ImplicitTagLibraryInfo extends Tag
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspConfig.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspConfig.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspConfig.java Tue Mar 18 09:54:55 2014
@@ -94,7 +94,7 @@ public class JspConfig {
ctxt.getInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java Tue Mar 18 09:54:55 2014
@@ -131,7 +131,7 @@ class JspDocumentParser
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java Tue Mar 18 09:54:55 2014
@@ -226,7 +226,7 @@ class TagLibraryInfoImpl extends TagLibr
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagPluginManager.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagPluginManager.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagPluginManager.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TagPluginManager.java Tue Mar 18 09:54:55 2014
@@ -79,7 +79,7 @@ public class TagPluginManager {
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TldLocationsCache.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TldLocationsCache.java?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TldLocationsCache.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/TldLocationsCache.java Tue Mar 18 09:54:55 2014
@@ -300,7 +300,7 @@ public class TldLocationsCache {
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
@@ -482,7 +482,7 @@ public class TldLocationsCache {
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue Mar 18 09:54:55 2014
@@ -56,6 +56,18 @@
<bug>56082</bug>: Fix a concurrency bug in JULI's LogManager
implementation. (markt)
</fix>
+ <fix>
+ Change the default value of the <code>xmlBlockExternal</code> attribute
+ of Context elements. It is now <code>true</code>. (kkolinko)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
+ <changelog>
+ <fix>
+ Change the default behaviour of JspC to block XML external entities by
+ default. (kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml?rev=1578804&r1=1578803&r2=1578804&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Tue Mar 18 09:54:55 2014
@@ -366,9 +366,8 @@
<code>web.xml</code>, <code>web-fragment.xml</code>, <code>*.tld</code>,
<code>*.jspx</code>, <code>*.tagx</code> and <code>tagPlugins.xml</code>
files for this web application will not permit external entities to be
- loaded. If a <code>SecurityManager</code> is configured then the default
- value of this attribute will be <code>true</code>, else the default
- value will be <code>false</code>.</p>
+ loaded. If not specified, the default value of <code>true</code> will
+ be used.</p>
</attribute>
<attribute name="xmlNamespaceAware" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org