Hello Tomcat developers,
I'm building a static analysis tool to automatically detect a certain class
of errors and am trying it on tomcat 6.0.1-alpha (sources downloaded from
http://tomcat.apache.org/download-60.cgi.)
I wonder if in the piece of code below, which responds with an error if a
jsp page doesn't exist, the second argument to response.sendError() is
intentionally the jspUri. In particular, in most other places in the code,
the second argument to sendError() is some user-understandable error message
typically obtained from a StringManager. Is it intended to give the JSP URI
as the sendError message in this case ? All versions of tomcat sources that
I have looked at including 5.5.x and 4.1.31 seem to have code similar to the
extract below.
Thanks in advance for any comments regarding this potential issue.
Thanks,
Sudheendra
apache-tomcat-6.0.1-src/java/org/apache/jasper/servlet/JspServlet.java:
...
private void serviceJspFile(HttpServletRequest request,
HttpServletResponse response, String jspUri,
Throwable exception, boolean precompile)
throws ServletException, IOException {
JspServletWrapper wrapper =
(JspServletWrapper) rctxt.getWrapper(jspUri);
if (wrapper == null) {
synchronized(this) {
wrapper = (JspServletWrapper) rctxt.getWrapper(jspUri);
if (wrapper == null) {
// Check if the requested JSP page exists, to avoid
// creating unnecessary directories and files.
if (null == context.getResource(jspUri)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND,
jspUri);
return;
}
...
wrapper.service(request, response, precompile);
}
