svn commit: r1746994 - in /tomcat/tc7.0.x/trunk: java/org/apache/jasper/compiler/TagLibraryInfoImpl.java java/org/apache/jasper/resources/LocalStrings.properties webapps/docs/changelog.xml

Mon, 06 Jun 2016 06:35:08 -0700 

Author: markt
Date: Mon Jun  6 13:34:45 2016
New Revision: 1746994

URL: http://svn.apache.org/viewvc?rev=1746994&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59654
Enforce the requirements of section 7.3.1 of the JSP specification regarding 
the permitted locations for TLD files. Patch provided by Huxing Zhang.

Modified:
    tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
    
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java 
Mon Jun  6 13:34:45 2016
@@ -340,9 +340,14 @@ class TagLibraryInfoImpl extends TagLibr
                 err.jspError("jsp.error.tld.missing_jar", uri);
             }
             return new TldLocation("META-INF/taglib.tld", url.toString());
-        } else {
-            return new TldLocation(uri);
+        } else if (uri.startsWith("/WEB-INF/lib/")
+                || uri.startsWith("/WEB-INF/classes/") ||
+                (uri.startsWith("/WEB-INF/tags/") && uri.endsWith(".tld")
+                        && !uri.endsWith("implicit.tld"))) {
+            err.jspError("jsp.error.tld.invalid_tld_file", uri);
         }
+
+        return new TldLocation(uri);
     }
 
     private TagInfo createTagInfo(TreeNode elem, String jspVersion)

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/jasper/resources/LocalStrings.properties 
Mon Jun  6 13:34:45 2016
@@ -212,6 +212,7 @@ jsp.error.bad_attribute=Attribute {0} in
 jsp.error.tld.unable_to_read=Unable to read TLD \"{1}\" from JAR file \"{0}\": 
{2}
 jsp.error.tld.unable_to_get_jar=Unable to get JAR resource \"{0}\" containing 
TLD: {1}
 jsp.error.tld.missing_jar=Missing JAR resource \"{0}\" containing TLD
+jsp.error.tld.invalid_tld_file=Invalid tld file: \"{0}\", see JSP 2.2 
specification section 7.3.1 for more details
 jsp.error.webxml_not_found=Could not locate web.xml
 jsp.cmd_line.usage=Usage: jsptoservlet [-dd <path/to/outputDirectory>] 
[-keepgenerated] \
 <.jsp files>

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1746994&r1=1746993&r2=1746994&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Jun  6 13:34:45 2016
@@ -160,6 +160,11 @@
         the class loader of the first web application to use expressions to be
         pinned in memory. (markt)
       </fix>
+      <fix>
+        <bug>59654</bug>: Enforce the requirements of section 7.3.1 of the JSP
+        specification regarding the permitted locations for TLD files. Patch
+        provided by Huxing Zhang. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to