https://bz.apache.org/bugzilla/show_bug.cgi?id=59357
Bug ID: 59357
Summary: Doesn't seem to be a way to totally disable TLD
scanning
Product: Tomcat 8
Version: 8.0.33
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Jasper
Assignee: [email protected]
Reporter: [email protected]
There doesn't seem to be a way to disable TLD scanning completely.
There apparently used to be an attribute for the context called "processTlds"
which was replaced at some point, with some/all of the following:
<Context processTlds="false" tldValidation="false" xmlBlockExternal="false">
<JarScanner scanClassPath="false" scanAllFiles="false"
scanAllDirectories="false">
<JarScanFilter tldSkip="*" defaultTldScan="false"/>
</JarScanner>
</Context>
This is well and good, but in my case I have a TLD file (just the file itself,
not inside a jar) below WEB-INF, and even with every possible "don't scan for
TLDs" setting set, it's still being picked up. (jarsToSkip, fwiw, is *)
Is there a setting I'm missing which will totally disable TLD scanning?
A quick look at the sources makes it seem like there is no way to avoid the
scan for files with .tld extensions, as filters and such are only applied to
jar scanning? I could be missing something, but that's what it looks like.
To reproduce, just stick a TLD with a bad DTD reference somewhere below
/WEB-INF.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
