geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Woods (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4245) Upgrade to Tomcat 6.0.18 to pickup latest security fixes
Date Fri, 15 Aug 2008 04:38:46 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12622804#action_12622804
] 

Donald Woods commented on GERONIMO-4245:
----------------------------------------

I've run into several JSP files in our build (mainly the monitor webapp) that require code
changes to work with Tomcat 6.0.18, due to tightened code around the JSP 2.0 spec in Jasper
during the Tomcat 6.0.17 release.

The build errors look something like -
org.apache.jasper.JasperException: file:/Users/drwoods/geronimo/server-trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp(168,168)
Attribute value rs.getString("server_id") is quoted with " which must be escaped when used
within the value
    at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40)


There are several places in the portlet code where we have -
     value="<%=rs.getString("server_id")%>"
which had to be changed to
     value='<%=rs.getString("server_id")%>'


The full text of the Tomcat Jasper change can be found at -
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
with the basic explanation being -

According to JSP 2.0 specification (chapter 1.7 page 72,73)

This code is illegal:
<mytags:tag value="<%= "hi!" %>" />

Instead the correct sentence would be:
<mytags:tag value='<%= "hi!" %>' />
<mytags:tag value="<%= \"hi!\" %>" />
<mytags:tag value='<%= \"name\" %>' />
... 


> Upgrade to Tomcat 6.0.18 to pickup latest security fixes
> --------------------------------------------------------
>
>                 Key: GERONIMO-4245
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4245
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: dependencies
>    Affects Versions: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2
>            Reporter: Donald Woods
>            Assignee: Donald Woods
>            Priority: Critical
>             Fix For: 2.0.3, 2.1.3, 2.2
>
>
> Need to upgrade to Tomcat 6.0.18 to pickup the latest security fixes, as listed on the
following Tomcat webpage - http://tomcat.apache.org/security-6.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message