svn commit: r1758487 - in /tomcat/trunk: conf/ java/org/apache/jasper/ java/org/apache/jasper/resources/ java/org/apache/jasper/servlet/ webapps/docs/

Tue, 30 Aug 2016 15:35:56 -0700 

Author: markt
Date: Tue Aug 30 22:35:38 2016
New Revision: 1758487

URL: http://svn.apache.org/viewvc?rev=1758487&view=rev
Log:
Ignore some JSP options when running under a SecurityManager

Modified:
    tomcat/trunk/conf/web.xml
    tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java
    tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
    tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/jasper-howto.xml

Modified: tomcat/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Tue Aug 30 22:35:38 2016
@@ -163,6 +163,8 @@
   <!--   engineOptionsClass  Allows specifying the Options class used to    -->
   <!--                       configure Jasper. If not present, the default  -->
   <!--                       EmbeddedServletOptions will be used.           -->
+  <!--                       This option is ignored when running under a    -->
+  <!--                       SecurityManager.                               -->
   <!--                                                                      -->
   <!--   errorOnUseBeanInvalidClassAttribute                                -->
   <!--                       Should Jasper issue an error when the value of -->
@@ -224,6 +226,8 @@
   <!--   scratchdir          What scratch directory should we use when      -->
   <!--                       compiling JSP pages?  [default work directory  -->
   <!--                       for the current web application]               -->
+  <!--                       This option is ignored when running under a    -->
+  <!--                       SecurityManager.                               -->
   <!--                                                                      -->
   <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
   <!--                       debugging be suppressed?  [false]              -->

Modified: tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java (original)
+++ tomcat/trunk/java/org/apache/jasper/EmbeddedServletOptions.java Tue Aug 30 
22:35:38 2016
@@ -660,6 +660,10 @@ public final class EmbeddedServletOption
          * scratchdir
          */
         String dir = config.getInitParameter("scratchdir");
+        if (dir != null && Constants.IS_SECURITY_ENABLED) {
+            log.info(Localizer.getMessage("jsp.info.ignoreSetting", 
"scratchdir", dir));
+            dir = null;
+        }
         if (dir != null) {
             scratchDir = new File(dir);
         } else {

Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Tue 
Aug 30 22:35:38 2016
@@ -355,6 +355,7 @@ jsp.error.unbalanced.endtag=The end tag
 jsp.error.invalid.bean=The value for the useBean class attribute {0} is 
invalid.
 jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive 
has been previously used by an action in file {1} line {2}.
 jsp.error.lastModified=Unable to determine last modified date for file [{0}]
+jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a 
SecurityManager was enabled
 
 jsp.exception=An exception occurred processing JSP page {0} at line {1}
 

Modified: tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java (original)
+++ tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java Tue Aug 30 
22:35:38 2016
@@ -71,8 +71,8 @@ public class JspServlet extends HttpServ
     private ServletConfig config;
     private transient Options options;
     private transient JspRuntimeContext rctxt;
-    //jspFile for a jsp configured explicitly as a servlet, in environments 
where this configuration is
-    //translated into an init-param for this servlet.
+    // jspFile for a jsp configured explicitly as a servlet, in environments 
where this
+    // configuration is translated into an init-param for this servlet.
     private String jspFile;
 
 
@@ -89,6 +89,11 @@ public class JspServlet extends HttpServ
         // Initialize the JSP Runtime Context
         // Check for a custom Options implementation
         String engineOptionsName = 
config.getInitParameter("engineOptionsClass");
+        if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
+            log.info(Localizer.getMessage(
+                    "jsp.info.ignoreSetting", "engineOptionsClass", 
engineOptionsName));
+            engineOptionsName = null;
+        }
         if (engineOptionsName != null) {
             // Instantiate the indicated Options implementation
             try {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Aug 30 22:35:38 2016
@@ -264,6 +264,10 @@
         <bug>60032</bug>: Fix handling of method calls that use varargs within
         EL value expressions. (markt)
       </fix>
+      <fix>
+        Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when
+        running under a security manager. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">

Modified: tomcat/trunk/webapps/docs/jasper-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/jasper-howto.xml?rev=1758487&r1=1758486&r2=1758487&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/jasper-howto.xml (original)
+++ tomcat/trunk/webapps/docs/jasper-howto.xml Tue Aug 30 22:35:38 2016
@@ -132,7 +132,7 @@ default <code>true</code>.
 
 <li><strong>engineOptionsClass</strong> - Allows specifying the Options class
 used to configure Jasper. If not present, the default EmbeddedServletOptions
-will be used.
+will be used. This option is ignored if running under a SecurityManager.
 </li>
 
 <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue
@@ -185,7 +185,7 @@ may be expensive and could lead to exces
 
 <li><strong>scratchdir</strong> - What scratch directory should we use when
 compiling JSP pages? Default is the work directory for the current web
-application.</li>
+application. This option is ignored if running under a SecurityManager.</li>
 
 <li><strong>suppressSmap</strong> - Should the generation of SMAP info for 
JSR45
 debugging be suppressed? <code>true</code> or <code>false</code>, default



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to