You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Donald Woods (JIRA)" <ji...@apache.org> on 2008/08/15 06:38:46 UTC

[jira] Commented: (GERONIMO-4245) Upgrade to Tomcat 6.0.18 to pickup latest security fixes

    [ https://issues.apache.org/jira/browse/GERONIMO-4245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622804#action_12622804 ] 

Donald Woods commented on GERONIMO-4245:
----------------------------------------

I've run into several JSP files in our build (mainly the monitor webapp) that require code changes to work with Tomcat 6.0.18, due to tightened code around the JSP 2.0 spec in Jasper during the Tomcat 6.0.17 release.

The build errors look something like -
org.apache.jasper.JasperException: file:/Users/drwoods/geronimo/server-trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp(168,168) Attribute value rs.getString("server_id") is quoted with " which must be escaped when used within the value
    at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40)


There are several places in the portlet code where we have -
     value="<%=rs.getString("server_id")%>"
which had to be changed to
     value='<%=rs.getString("server_id")%>'


The full text of the Tomcat Jasper change can be found at -
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
with the basic explanation being -

According to JSP 2.0 specification (chapter 1.7 page 72,73)

This code is illegal:
<mytags:tag value="<%= "hi!" %>" />

Instead the correct sentence would be:
<mytags:tag value='<%= "hi!" %>' />
<mytags:tag value="<%= \"hi!\" %>" />
<mytags:tag value='<%= \"name\" %>' />
... 


> Upgrade to Tomcat 6.0.18 to pickup latest security fixes
> --------------------------------------------------------
>
>                 Key: GERONIMO-4245
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4245
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: dependencies
>    Affects Versions: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2
>            Reporter: Donald Woods
>            Assignee: Donald Woods
>            Priority: Critical
>             Fix For: 2.0.3, 2.1.3, 2.2
>
>
> Need to upgrade to Tomcat 6.0.18 to pickup the latest security fixes, as listed on the following Tomcat webpage - http://tomcat.apache.org/security-6.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.