myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Timbul (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Comment Edited] (MYFACES-4002) Regression? - References to external entities not working with WebXmlParser
Date Fri, 21 Aug 2015 09:28:46 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-4002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14706458#comment-14706458
] 

Thomas Timbul edited comment on MYFACES-4002 at 8/21/15 9:28 AM:
-----------------------------------------------------------------

This is what it boils down to (formatting may be slightly off):

{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app [
	<!ENTITY contextparams 	SYSTEM	"webxml/context-params.xml">
	<!ENTITY filtermappings	 SYSTEM	"webxml/filter-mappings.xml">
	<!ENTITY filters 		SYSTEM	"webxml/filters.xml">
	<!ENTITY listeners		 SYSTEM	"webxml/listeners.xml">
	<!ENTITY servletmappings  SYSTEM	"webxml/servlet-mappings.xml">
	<!ENTITY servlets		 SYSTEM	"webxml/servlets.xml">
	<!ENTITY mime 			SYSTEM	"webxml/mime.xml">
	<!ENTITY welcome		 SYSTEM	"webxml/welcome.xml">
]>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
		 http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
		 version="3.0">

[...]
&contextparams;
[...]
&filtermappings;
[...]
&filters;
[...]
&listeners;
[...]
[etc]
</web-app>
{code}

This used to work fine on 2.0.7.
After upgrading to "stock" 2.2.4 it failed with the above error, but fine again after I patched
as above.

I initially discarded the use of web fragment only because this is now somewhat of a legacy
project, and it used to work perfectly fine previously. I'm sure it could be restructured
using web-fragments, but unfortunately it is not something I am able to spend time on right
now.

Please note that I have not considered possible side effects, such as a user (for some strange
reason) wanting to specify an absolute system path.
I also haven't compared the 2.0.7 WebXmlParser sources to check whether changes were actually
made.
Perhaps the change is actually in core classes that produce the "systemId"?


was (Author: ttimbul):
This is what it boils down to (formatting may be slightly off):

{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app [
	<!ENTITY contextparams 	SYSTEM	"webxml/context-params.xml">
	<!ENTITY filtermappings	 SYSTEM	"webxml/filter-mappings.xml">
	<!ENTITY filters 		SYSTEM	"webxml/filters.xml">
	<!ENTITY listeners		 SYSTEM	"webxml/listeners.xml">
	<!ENTITY servletmappings  SYSTEM	"webxml/servlet-mappings.xml">
	<!ENTITY servlets		 SYSTEM	"webxml/servlets.xml">
	<!ENTITY mime 			SYSTEM	"webxml/mime.xml">
	<!ENTITY welcome		 SYSTEM	"webxml/welcome.xml">
]>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
		 http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
		 version="3.0">

[...]
&contextparams;
[...]
&filtermappings;
[...]
&filters;
[...]
&listeners;
[...]
[etc]
</wepp-app>
{code}

This used to work fine on 2.0.7.
After upgrading to "stock" 2.2.4 it failed with the above error, but fine again after I patched
as above.

I initially discarded the use of web fragment only because this is now somewhat of a legacy
project, and it used to work perfectly fine previously. I'm sure it could be restructured
using web-fragments, but unfortunately it is not something I am able to spend time on right
now.

Please note that I have not considered possible side effects, such as a user (for some strange
reason) wanting to specify an absolute system path.
I also haven't compared the 2.0.7 WebXmlParser sources to check whether changes were actually
made.
Perhaps the change is actually in core classes that produce the "systemId"?

> Regression? - References to external entities not working with WebXmlParser
> ---------------------------------------------------------------------------
>
>                 Key: MYFACES-4002
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4002
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 2.2.4
>         Environment: Myfaces 2.2.4, Tomcat 8.0.23, JDK 1.8_20, Windows 7 64bit
>            Reporter: Thomas Timbul
>         Attachments: patch1.txt
>
>
> I've searched JIRA and there are a few issues related to WebXmlParser, but this seems
almost like a recurrence of MYFACES-1754.
> My web.xml is split into multiple files, each declared as an XML entity relative to the
web.xml file itself:
> {code:xml}
> <!ENTITY contextparams	SYSTEM	"webxml/context-params.xml">
> {code}
> (As a side note I used to use {{jndi:/localhost/WEB-INF/webxml/context-params.xml}},
but for some reason Tomcat 8 claims that jndi is an invalid protocol).
> Using resource relative system identifiers Tomcat is now happy and the context starts
correctly. However, during its initialization MyFaces re-parses the web.xml descriptor and
resolves the entities incorrectly, leading to failure with the message:
> {code}
> 2015-06-17 15:48:13.853 [localhost-startStop-1] ERROR o.a.m.s.w.webxml.WebXmlParser -
Unable to parse web.xml
> java.lang.IllegalArgumentException: The resource path [file:///WEB-INF/webxml/context-params.xml]
is not valid
> {code}
> The solution is to remove the file:// prefix before passing to the external context to
resolve, as in this patch:
> {code}
> Index: org/apache/myfaces/shared_impl/webapp/webxml/WebXmlParser.java
> ===================================================================
> --- WebXmlParser.java	(revision ???)
> +++ WebXmlParser.java	(working copy)
> @@ -138,6 +138,9 @@
>  
>      private InputSource createContextInputSource(String publicId, String systemId)
>      {
> +        if(systemId.startsWith("file:")) {
> +            systemId = systemId.substring(7); // remove file://
> +        }
>          InputStream inStream = _context.getResourceAsStream(systemId);
>          if (inStream == null)
>          {
> {code}
> Those three lines of code are based on other work by the MyFaces team (org.apache.myfaces.config.impl.FacesConfigEntityResolver)
and even if it weren't is made available free of charge and free from license restrictions.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message