Author: kkolinko
Date: Wed May 26 02:31:57 2010
New Revision: 948294
URL: http://svn.apache.org/viewvc?rev=948294&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47878
Return 404's rather than a permanent 500 if a JSP is deleted
Make sure first response post deletion is correct
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/JspCompilationContext.java
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/compiler/Compiler.java
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/security/SecurityUtil.java
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServletWrapper.java
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Wed May 26 02:31:57 2010
@@ -32,18 +32,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, rjung
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47878
- Return 404's rather than a permanent 500 if a JSP is deleted
- Make sure first response post deletion is correct
- Port of r439565, r832102 & r904834
- http://people.apache.org/~markt/patches/2010-01-30-bug47878-tc5.patch
- (Above patch is wrong - it is missing at least r562752, maybe others)
- Corrected patch based on Mark's one:
- http://people.apache.org/~kkolinko/patches/2010-04-22_tc55_bug47878.patch
- +1: kkolinko, markt, rjung
- -1:
-
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48179
Improve processing of TLD cache file
https://issues.apache.org/bugzilla/attachment.cgi?id=24918
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed May 26
02:31:57 2010
@@ -111,6 +111,11 @@
(kkolinko)
</fix>
<fix>
+ <bug>47878</bug>: Return “404”s rather than a permanent
+ “500” if a JSP is deleted. Make sure first response after
+ deletion is correct. (markt/kkolinko)
+ </fix>
+ <fix>
<bug>48701</bug>: Add a system property to allow disabling enforcement
of JSP.5.3. The specification recommends, but does not require, this
enforcement. (kkolinko)
Modified:
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/JspCompilationContext.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/JspCompilationContext.java?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/JspCompilationContext.java
(original)
+++
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/JspCompilationContext.java
Wed May 26 02:31:57 2010
@@ -74,14 +74,13 @@ public class JspCompilationContext {
private String classPath;
private String baseURI;
- private String baseOutputDir;
private String outputDir;
private ServletContext context;
private URLClassLoader loader;
private JspRuntimeContext rctxt;
- private int removed = 0;
+ private volatile int removed = 0;
private URLClassLoader jspLoader;
private URL baseUrl;
@@ -539,16 +538,14 @@ public class JspCompilationContext {
// ==================== Removal ====================
public void incrementRemoved() {
- if (removed > 1) {
- jspCompiler.removeGeneratedFiles();
- if( rctxt != null )
- rctxt.removeWrapper(jspUri);
+ if (removed == 0 && rctxt != null) {
+ rctxt.removeWrapper(jspUri);
}
removed++;
}
public boolean isRemoved() {
- if (removed > 1 ) {
+ if (removed > 0 ) {
return true;
}
return false;
@@ -559,7 +556,11 @@ public class JspCompilationContext {
public void compile() throws JasperException, FileNotFoundException {
createCompiler();
if (isPackagedTagFile || jspCompiler.isOutDated()) {
+ if (isRemoved()) {
+ throw new FileNotFoundException(jspUri);
+ }
try {
+ jspCompiler.removeGeneratedFiles();
jspLoader = null;
jspCompiler.compile();
jsw.setReload(true);
@@ -569,7 +570,6 @@ public class JspCompilationContext {
jsw.setCompilationException(ex);
throw ex;
} catch (Exception ex) {
- ex.printStackTrace();
JasperException je = new JasperException(
Localizer.getMessage("jsp.error.unable.compile"),
ex);
Modified:
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/compiler/Compiler.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/compiler/Compiler.java?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/compiler/Compiler.java
(original)
+++
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/compiler/Compiler.java
Wed May 26 02:31:57 2010
@@ -393,13 +393,13 @@ public abstract class Compiler {
URL jspUrl = ctxt.getResource(jsp);
if (jspUrl == null) {
ctxt.incrementRemoved();
- return false;
+ return true;
}
URLConnection uc = jspUrl.openConnection();
jspRealLastModified = uc.getLastModified();
uc.getInputStream().close();
} catch (Exception e) {
- e.printStackTrace();
+ log.debug("Problem accessing resource. Treat as outdated.", e);
return true;
}
@@ -456,7 +456,7 @@ public abstract class Compiler {
return true;
}
} catch (Exception e) {
- e.printStackTrace();
+ log.debug("Problem accessing resource. Treat as outdated.", e);
return true;
}
}
Modified:
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/security/SecurityUtil.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/security/SecurityUtil.java?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/security/SecurityUtil.java
(original)
+++
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/security/SecurityUtil.java
Wed May 26 02:31:57 2010
@@ -38,5 +38,42 @@ public final class SecurityUtil{
return false;
}
-
+
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
+ }
+
}
Modified:
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServlet.java?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
(original)
+++
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
Wed May 26 02:31:57 2010
@@ -17,6 +17,7 @@
package org.apache.jasper.servlet;
+import java.io.FileNotFoundException;
import java.io.IOException;
import java.lang.reflect.Constructor;
@@ -35,6 +36,7 @@ import org.apache.jasper.EmbeddedServlet
import org.apache.jasper.Options;
import org.apache.jasper.compiler.JspRuntimeContext;
import org.apache.jasper.compiler.Localizer;
+import org.apache.jasper.security.SecurityUtil;
/**
* The JSP engine (a.k.a Jasper).
@@ -283,31 +285,15 @@ public class JspServlet extends HttpServ
Throwable exception, boolean precompile)
throws ServletException, IOException {
- JspServletWrapper wrapper =
- (JspServletWrapper) rctxt.getWrapper(jspUri);
+ JspServletWrapper wrapper = rctxt.getWrapper(jspUri);
if (wrapper == null) {
synchronized(this) {
- wrapper = (JspServletWrapper) rctxt.getWrapper(jspUri);
+ wrapper = rctxt.getWrapper(jspUri);
if (wrapper == null) {
// Check if the requested JSP page exists, to avoid
// creating unnecessary directories and files.
if (null == context.getResource(jspUri)) {
- String includeRequestUri = (String)
-
request.getAttribute("javax.servlet.include.request_uri");
- if (includeRequestUri != null) {
- // This file was included. Throw an exception as
- // a response.sendError() will be ignored
- throw new ServletException(Localizer.getMessage(
- "jsp.error.file.not.found",jspUri));
- } else {
- try {
-
response.sendError(HttpServletResponse.SC_NOT_FOUND,
- request.getRequestURI());
- } catch (IllegalStateException ise) {
-
log.error(Localizer.getMessage("jsp.error.file.not.found",
- jspUri));
- }
- }
+ handleMissingResource(request, response, jspUri);
return;
}
boolean isErrorPage = exception != null;
@@ -318,8 +304,39 @@ public class JspServlet extends HttpServ
}
}
- wrapper.service(request, response, precompile);
+ try {
+ wrapper.service(request, response, precompile);
+ } catch (FileNotFoundException fnfe) {
+ handleMissingResource(request, response, jspUri);
+ }
}
+ private void handleMissingResource(HttpServletRequest request,
+ HttpServletResponse response, String jspUri)
+ throws ServletException, IOException {
+
+ String includeRequestUri =
+ (String)request.getAttribute("javax.servlet.include.request_uri");
+
+ if (includeRequestUri != null) {
+ // This file was included. Throw an exception as
+ // a response.sendError() will be ignored
+ String msg =
+ Localizer.getMessage("jsp.error.file.not.found",jspUri);
+ // Strictly, filtering this is an application
+ // responsibility but just in case...
+ throw new ServletException(SecurityUtil.filter(msg));
+ } else {
+ try {
+ response.sendError(HttpServletResponse.SC_NOT_FOUND,
+ request.getRequestURI());
+ } catch (IllegalStateException ise) {
+ log.error(Localizer.getMessage("jsp.error.file.not.found",
+ jspUri));
+ }
+ }
+ return;
+ }
+
}
Modified:
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServletWrapper.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServletWrapper.java?rev=948294&r1=948293&r2=948294&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServletWrapper.java
(original)
+++
tomcat/tc5.5.x/trunk/jasper/src/share/org/apache/jasper/servlet/JspServletWrapper.java
Wed May 26 02:31:57 2010
@@ -31,6 +31,9 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.tagext.TagInfo;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
import org.apache.jasper.JasperException;
import org.apache.jasper.JspCompilationContext;
import org.apache.jasper.Options;
@@ -60,6 +63,9 @@ import org.apache.jasper.runtime.JspSour
public class JspServletWrapper {
+ // Logger
+ private final Log log = LogFactory.getLog(JspServletWrapper.class);
+
private Servlet theServlet;
private String jspUri;
private Class servletClass;
@@ -272,6 +278,7 @@ public class JspServletWrapper {
HttpServletResponse response,
boolean precompile)
throws ServletException, IOException, FileNotFoundException {
+
try {
if (ctxt.isRemoved()) {
@@ -318,6 +325,37 @@ public class JspServletWrapper {
return;
}
+ } catch (ServletException ex) {
+ if (options.getDevelopment()) {
+ throw handleJspException(ex);
+ } else {
+ throw ex;
+ }
+ } catch (FileNotFoundException fnfe) {
+ // File has been removed. Let caller handle this.
+ throw fnfe;
+ } catch (IOException ex) {
+ if (options.getDevelopment()) {
+ throw handleJspException(ex);
+ } else {
+ throw ex;
+ }
+ } catch (IllegalStateException ex) {
+ if (options.getDevelopment()) {
+ throw handleJspException(ex);
+ } else {
+ throw ex;
+ }
+ } catch (Exception ex) {
+ if (options.getDevelopment()) {
+ throw handleJspException(ex);
+ } else {
+ throw new JasperException(ex);
+ }
+ }
+
+ try {
+
/*
* (3) Service request
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
