changelog.xml

markt Thu, 16 Oct 2014 06:45:06 -0700

Author: markt
Date: Thu Oct 16 13:44:18 2014
New Revision: 1632307

URL: http://svn.apache.org/r1632307
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57099
Ensure that semi-colons are not permitted in JSP import page directives.


Added:
    tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java   (with props)
Modified:
    tomcat/trunk/java/org/apache/jasper/compiler/Node.java
    tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/jasper/compiler/Node.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/Node.java?rev=1632307&r1=1632306&r2=1632307&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/compiler/Node.java (original)
+++ tomcat/trunk/java/org/apache/jasper/compiler/Node.java Thu Oct 16 13:44:18 
2014
@@ -583,20 +583,35 @@ abstract class Node implements TagConsta
             int start = 0;
             int index;
             while ((index = value.indexOf(',', start)) != -1) {
-                imports.add(value.substring(start, index).trim());
+                imports.add(validateImport(value.substring(start, index)));
                 start = index + 1;
             }
             if (start == 0) {
                 // No comma found
-                imports.add(value.trim());
+                imports.add(validateImport(value));
             } else {
-                imports.add(value.substring(start).trim());
+                imports.add(validateImport(value.substring(start)));
             }
         }
 
         public List<String> getImports() {
             return imports;
         }
+
+        /**
+         * Just need enough validation to make sure nothing strange is going 
on.
+         * The compiler will validate this thoroughly when it tries to compile
+         * the resulting .java file.
+         */
+        private String validateImport(String importEntry) {
+            // This should either be a fully-qualified class name or a package
+            // name with a wildcard
+            if (importEntry.indexOf(';') > -1) {
+                throw new IllegalArgumentException(
+                        Localizer.getMessage("jsp.error.page.invaild.import"));
+            }
+            return importEntry.trim();
+        }
     }
 
     /**

Modified: tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties?rev=1632307&r1=1632306&r2=1632307&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties Thu 
Oct 16 13:44:18 2014
@@ -38,6 +38,7 @@ jsp.error.page.invalid.buffer=Page direc
 jsp.error.page.conflict.autoflush=Page directive: illegal to have multiple 
occurrences of 'autoFlush' with different values (old: {0}, new: {1})
 jsp.error.page.conflict.isthreadsafe=Page directive: illegal to have multiple 
occurrences of 'isThreadSafe' with different values (old: {0}, new: {1})
 jsp.error.page.invalid.isthreadsafe=Page directive: invalid value for 
isThreadSafe
+jsp.error.page.invaild.import=Page directive: invalid value for import
 jsp.error.page.conflict.info=Page directive: illegal to have multiple 
occurrences of 'info' with different values (old: {0}, new: {1})
 jsp.error.page.invalid.info=Page directive: invalid value for info
 jsp.error.page.conflict.iserrorpage=Page directive: illegal to have multiple 
occurrences of 'isErrorPage' with different values (old: {0}, new: {1})

Added: tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java?rev=1632307&view=auto
==============================================================================
--- tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java (added)
+++ tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java Thu Oct 16 
13:44:18 2014
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jasper.compiler;
+
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.jasper.compiler.Node.PageDirective;
+
+public class TestNode {
+
+    /*
+     * https://issues.apache.org/bugzilla/show_bug.cgi?id=57099
+     */
+    @Test(expected=IllegalArgumentException.class)
+    public void testPageDirectiveImport01() {
+        doTestPageDirectiveImport("java.io.*;\r\n\timport java.net.*");
+    }
+
+    @Test
+    public void testPageDirectiveImport02() {
+        doTestPageDirectiveImport("a,b,c");
+    }
+
+    @Test
+    public void testPageDirectiveImport03() {
+        doTestPageDirectiveImport(" a , b , c ");
+    }
+
+    @Test
+    public void testPageDirectiveImport04() {
+        doTestPageDirectiveImport(" a\n , \r\nb , \nc\r ");
+    }
+
+    @Test
+    public void testPageDirectiveImport05() {
+        
doTestPageDirectiveImport("java.util.List,java.util.ArrayList,java.util.Set");
+    }
+
+    @Test(expected=IllegalArgumentException.class)
+    public void testPageDirectiveImport06() {
+        doTestPageDirectiveImport("java.util.List;import java.util.ArrayList; 
import java.util.Set");
+    }
+
+    @Test
+    public void testPageDirectiveImport07() {
+        doTestPageDirectiveImport("java 
.\nutil.List,java.util.ArrayList,java.util.Set");
+    }
+
+    private void doTestPageDirectiveImport(String importDirective) {
+        PageDirective pd = new PageDirective(null, null, null);
+        pd.addImport(importDirective);
+        List<String> imports = pd.getImports();
+
+        Assert.assertEquals(3, imports.size());
+    }
+}

Propchange: tomcat/trunk/test/org/apache/jasper/compiler/TestNode.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1632307&r1=1632306&r2=1632307&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Oct 16 13:44:18 2014
@@ -161,6 +161,14 @@
       </scode>
     </changelog>
   </subsection>
+  <subsection name="Jasper">
+    <changelog>
+      <fix>
+        <bug>57099</bug>: Ensure that semi-colons are not permitted in JSP
+        import page directives. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Cluster">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1632307 - in /tomcat/trunk: java/org/apache/jasper/compiler/Node.java java/org/apache/jasper/resources/LocalStrings.properties test/org/apache/jasper/compiler/TestNode.java webapps/docs/changelog.xml

Reply via email to