Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10134

Include jsp from a taglib throws exception if path not normalized

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.2.0.CD14
    • 7.0.5.GA
    • Undertow
    • +
    • Workaround Exists
    • Hide

      The workaround is using an absolute path or a relative normalized path (no "./" or "../" in it).

      Show
      The workaround is using an absolute path or a relative normalized path (no "./" or "../" in it).
    • Hide

      Deploy the tld-war.war application and access to the "/tld-war/index.jsp" page. It produces the exception.

      Show
      Deploy the tld-war.war application and access to the "/tld-war/index.jsp" page. It produces the exception.

      If using a include directive in a tag-file

      1.- A WAR app with just an "index.jsp":

      Unable to find source-code formatter for language: jsp. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      <%@ page contentType="text/html" %>
      <%@ taglib prefix="sample" uri="sample" %>
      <html>
      <body bgcolor="white">
        <h1>Sample TLD</h1>
        <sample:copyright/>
      </body>
      </html>
      

      2.- The sample taglib is inside another JAR and defined like this:

      <?xml version="1.0" encoding="UTF-8" ?>
      <taglib xmlns="http://java.sun.com/xml/ns/j2ee"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
                     version="2.0">
          <tlib-version>1.0</tlib-version>
          <short-name>sample</short-name>
          <uri>sample</uri>
          <tag-file>
            <name>copyright</name>
            <path>/META-INF/tags/copyright.tag</path>
          </tag-file>
      </taglib>
      

      3.- The tag-file "copyright.tag" includes another JSP with the include directive:

      Unable to find source-code formatter for language: jsp. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      <%@tag body-content="empty" %>
      <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
      <%@include file="./includes/include1.inc" %>
      <jsp:useBean id="now" scope="application" class="java.util.Date" />
      <p>Copyright© ${now.year + 1900} My Company<%@ tag body-content="empty" %></p>
      

      4.- The final include "include1.inc" is a simple jsp file:

      Unable to find source-code formatter for language: jsp. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
      <%@taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn"%>
      <%@taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt"%>
      <p>Request URI: <%= request.getRequestURI() %></p>
      

      The resulting WAR throws the following exception:

      2017-04-04 10:25:34,935 ERROR [io.undertow.request] (default task-7) UT005023: Exception handling request to /tld-war/index.jsp: org.apache.jasper.JasperException: /META-INF/tags/copyright.tag (JBWEB004251: An error occurred at line: 3 column: 1) JBWEB004036: File "./includes/include1.jsp" not found
              at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:45)
              at org.apache.jasper.compiler.ErrorDispatcher.dispatch(ErrorDispatcher.java:276)
              at org.apache.jasper.compiler.ErrorDispatcher.jspError(ErrorDispatcher.java:91)
              at org.apache.jasper.compiler.Parser.processIncludeDirective(Parser.java:326)
              at org.apache.jasper.compiler.Parser.parseIncludeDirective(Parser.java:361)
              ...
      

      Nevertheless I have tested that the same application works if:

      1.- The include jsp is added using an absolute path:
      <%@include file="/META-INF/tags/includes/include1.inc" %>

      2.- The include path does not use "." or ".." (it is normalized):
      <%@include file="includes/include1.inc" %>

      Following the normalization idea I have patched the ParserController in jastow-2.0.0.Final-redhat-1.jar like this:

      --- ParserController.java.ORIG    2017-04-04 12:07:39.655817486 +0200
      +++ ParserController.java    2017-04-04 13:17:56.570334402 +0200
      @@ -28,6 +28,7 @@
       import org.apache.jasper.xmlparser.XMLEncodingDetector;
       import org.apache.tomcat.util.scan.Jar;
       import org.xml.sax.Attributes;
      +import java.nio.file.Paths;
       
       /**
        * Controller for the parsing of a JSP page.
      @@ -501,6 +502,7 @@
               boolean isAbsolute = fileName.startsWith("/");
               fileName = isAbsolute ? fileName
                       : baseDirStack.peek() + fileName;
      +    fileName = Paths.get(fileName).normalize().toString();
               String baseDir =
                   fileName.substring(0, fileName.lastIndexOf("/") + 1);
               baseDirStack.push(baseDir);
      

      And it works. The "./includes/include1.inc" is correctly read and the JSP is compiled successfully. I'm going to submit a PR to github later.

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              rhn-support-rmartinc Ricardo Martin Camarero
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: