Author: markt
Date: Mon Jun 6 13:34:45 2016
New Revision: 1746994
URL: http://svn.apache.org/viewvc?rev=1746994&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59654
Enforce the requirements of section 7.3.1 of the JSP specification regarding
the permitted locations for TLD files. Patch provided by Huxing Zhang.
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
Mon Jun 6 13:34:45 2016
@@ -340,9 +340,14 @@ class TagLibraryInfoImpl extends TagLibr
err.jspError("jsp.error.tld.missing_jar", uri);
}
return new TldLocation("META-INF/taglib.tld", url.toString());
- } else {
- return new TldLocation(uri);
+ } else if (uri.startsWith("/WEB-INF/lib/")
+ || uri.startsWith("/WEB-INF/classes/") ||
+ (uri.startsWith("/WEB-INF/tags/") && uri.endsWith(".tld")
+ && !uri.endsWith("implicit.tld"))) {
+ err.jspError("jsp.error.tld.invalid_tld_file", uri);
}
+
+ return new TldLocation(uri);
}
private TagInfo createTagInfo(TreeNode elem, String jspVersion)
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
Mon Jun 6 13:34:45 2016
@@ -212,6 +212,7 @@ jsp.error.bad_attribute=Attribute {0} in
jsp.error.tld.unable_to_read=Unable to read TLD \"{1}\" from JAR file \"{0}\":
{2}
jsp.error.tld.unable_to_get_jar=Unable to get JAR resource \"{0}\" containing
TLD: {1}
jsp.error.tld.missing_jar=Missing JAR resource \"{0}\" containing TLD
+jsp.error.tld.invalid_tld_file=Invalid tld file: \"{0}\", see JSP 2.2
specification section 7.3.1 for more details
jsp.error.webxml_not_found=Could not locate web.xml
jsp.cmd_line.usage=Usage: jsptoservlet [-dd <path/to/outputDirectory>]
[-keepgenerated] \
<.jsp files>
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Jun 6 13:34:45 2016
@@ -160,6 +160,11 @@
the class loader of the first web application to use expressions to be
pinned in memory. (markt)
</fix>
+ <fix>
+ <bug>59654</bug>: Enforce the requirements of section 7.3.1 of the JSP
+ specification regarding the permitted locations for TLD files. Patch
+ provided by Huxing Zhang. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
