https://bz.apache.org/bugzilla/show_bug.cgi?id=69431
Bug ID: 69431
Summary: Apache Tomcat 9.0.96 JSTL unexpected behavior in c:out
Product: Tomcat 9
Version: 9.0.96
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: Jasper
Assignee: dev@tomcat.apache.org
Reporter: stefanu...@gmail.com
Target Milestone: -----
Created attachment 39926
--> https://bz.apache.org/bugzilla/attachment.cgi?id=39926&action=edit
sample code to reproduce the problem
Since the 9.0.96 version of the Apache Tomcat servlet container released on
2024-10-08 the c:out tag behaves differently and if confirmed it could be a
serious security issue (code injection ?). Version 9.0.95 (and previous ones)
does not have this behavior.
It looks like it's a taglib problem (even though I have used the same 1.2.5
jars on both Tomcat servers), but I cannot tell if it is related to a specific
major version of Tomcat or a Jasper compiler problem. Not sure if this should
be classified as a regression or, if confirmed, major or even critical.
The problem : in certain circumstances it does no longer escape the value
attribute.
Here's how to reproduce the problem. Use a simple test file (use it as
index.jsp in the ROOT webapp for instance, along with
taglibs-standard-impl-1.2.5.jar and taglibs-standard-spec-1.2.5.jar in the
app's lib folder) :
<%@ page session="false" pageEncoding="UTF-8" contentType="text/html;
charset=UTF-8" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
String test = "{ \"key\" : \"value\" }";
java.util.Map<String, String> map = new java.util.HashMap<>();
map.put("test", test);
request.setAttribute("test", test);
request.setAttribute("map", map);
%>
<!DOCTYPE html>
<html lang="en">
<body>
<input type="text" name="test" id="test" value="<c:out value="${test}"
/>" />
<br/>
<input type="text" name="test" id="test" value="<c:out value="<%=test
%>" />" />
<br/>
<c:forEach items="${map}" var="entry">
<input id="${entry.key}" name="${entry.key}" type="text"
value="<c:out value="${entry.value}" />">
<br/>
</c:forEach>
<br/>
<br/>
Tomcat Version : <%= application.getServerInfo() %>
<br/>
Servlet Specification Version : <%= application.getMajorVersion()
%>.<%= application.getMinorVersion() %>
<br/>
JSP version :
<%=JspFactory.getDefaultFactory().getEngineInfo().getSpecificationVersion() %>
</body>
</html>
In Tomcat 9.0.95 it renders like this (showing just the important part) :
<input type="text" name="test" id="test" value="{ "key" :
"value" }" />
<input type="text" name="test" id="test" value="{ "key" :
"value" }" />
<input id="test" name="test" type="text" value="{ "key" :
"value" }">
In Tomcat 9.0.96 it renders like this :
<input type="text" name="test" id="test" value="{ "key" :
"value" }" />
<input type="text" name="test" id="test" value="{ "key" : "value" }" />
<input id="test" name="test" type="text" value="{ "key" : "value" }">
Even worse, when refreshing the page (the above result is obtained only once,
after the JSP is compiled), then it renders like this :
<input type="text" name="test" id="test" value="{ "key" : "value" }" />
<input type="text" name="test" id="test" value="{ "key" : "value" }" />
<input id="test" name="test" type="text" value="{ "key" : "value" }">
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
