You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/06/06 13:34:45 UTC
svn commit: r1746994 - in /tomcat/tc7.0.x/trunk:
java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
java/org/apache/jasper/resources/LocalStrings.properties
webapps/docs/changelog.xml
Author: markt
Date: Mon Jun 6 13:34:45 2016
New Revision: 1746994
URL: http://svn.apache.org/viewvc?rev=1746994&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59654
Enforce the requirements of section 7.3.1 of the JSP specification regarding the permitted locations for TLD files. Patch provided by Huxing Zhang.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java Mon Jun 6 13:34:45 2016
@@ -340,9 +340,14 @@ class TagLibraryInfoImpl extends TagLibr
err.jspError("jsp.error.tld.missing_jar", uri);
}
return new TldLocation("META-INF/taglib.tld", url.toString());
- } else {
- return new TldLocation(uri);
+ } else if (uri.startsWith("/WEB-INF/lib/")
+ || uri.startsWith("/WEB-INF/classes/") ||
+ (uri.startsWith("/WEB-INF/tags/") && uri.endsWith(".tld")
+ && !uri.endsWith("implicit.tld"))) {
+ err.jspError("jsp.error.tld.invalid_tld_file", uri);
}
+
+ return new TldLocation(uri);
}
private TagInfo createTagInfo(TreeNode elem, String jspVersion)
Modified: tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties Mon Jun 6 13:34:45 2016
@@ -212,6 +212,7 @@ jsp.error.bad_attribute=Attribute {0} in
jsp.error.tld.unable_to_read=Unable to read TLD \"{1}\" from JAR file \"{0}\": {2}
jsp.error.tld.unable_to_get_jar=Unable to get JAR resource \"{0}\" containing TLD: {1}
jsp.error.tld.missing_jar=Missing JAR resource \"{0}\" containing TLD
+jsp.error.tld.invalid_tld_file=Invalid tld file: \"{0}\", see JSP 2.2 specification section 7.3.1 for more details
jsp.error.webxml_not_found=Could not locate web.xml
jsp.cmd_line.usage=Usage: jsptoservlet [-dd <path/to/outputDirectory>] [-keepgenerated] \
<.jsp files>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Jun 6 13:34:45 2016
@@ -160,6 +160,11 @@
the class loader of the first web application to use expressions to be
pinned in memory. (markt)
</fix>
+ <fix>
+ <bug>59654</bug>: Enforce the requirements of section 7.3.1 of the JSP
+ specification regarding the permitted locations for TLD files. Patch
+ provided by Huxing Zhang. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org