From tomcat-dev-return-57012-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org Thu Mar 17 09:37:31 2005
Return-Path: <tomcat-dev-return-57012-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org
Received: (qmail 9630 invoked from network); 17 Mar 2005 09:37:31 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 17 Mar 2005 09:37:31 -0000
Received: (qmail 53300 invoked by uid 500); 17 Mar 2005 09:37:23 -0000
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 53252 invoked by uid 500); 17 Mar 2005 09:37:22 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 53239 invoked by uid 99); 17 Mar 2005 09:37:22 -0000
X-ASF-Spam-Status: No, hits=0.4 required=10.0
	tests=DNS_FROM_RFC_ABUSE,RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: domain of henri.gomez@gmail.com designates 64.233.184.206 as permitted sender)
Received: from wproxy.gmail.com (HELO wproxy.gmail.com) (64.233.184.206)
  by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 17 Mar 2005 01:37:21 -0800
Received: by wproxy.gmail.com with SMTP id 37so187159wra
        for <tomcat-dev@jakarta.apache.org>; Thu, 17 Mar 2005 01:37:19 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=Rhk+Jqxvj/7SoVcWJTAjppsIx2yffTKrjvH55c00m02/SzQVIxKDHYQxl8Q3TfSgtlpE+155ccZ9S6KnL0zt2pNuDdcWCBH5wrUMywBq94fQ4pcCbDmpG8KTNU0qUjNqaj68Z/UZCqRZmgFvEOmRpGG8DasWJv60HmcbD6nuI+o=
Received: by 10.54.29.61 with SMTP id c61mr1732041wrc;
        Thu, 17 Mar 2005 01:37:19 -0800 (PST)
Received: by 10.54.47.55 with HTTP; Thu, 17 Mar 2005 01:37:19 -0800 (PST)
Message-ID: <6291fc8505031701371fc3ac21@mail.gmail.com>
Date: Thu, 17 Mar 2005 10:37:19 +0100
From: Henri Gomez <henri.gomez@gmail.com>
Reply-To: hgomez@apache.org
To: Discussion about Tomcat dev <tomcat-dev@jakarta.apache.org>
Subject: Jasper and external entities parsing
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

>From what I see in the 5.5.8 code the external entities cannot be
resolved since we provide an InputSource to the documentBuilder in
ParseUtils :

   private void processWebDotXml(ServletContext ctxt) throws JasperException {

	InputStream is = null;

        try {
            is = ctxt.getResourceAsStream(WEB_XML);
	    if (is == null) {
	        // no web.xml
	        return;
	    }

	    ParserUtils pu = new ParserUtils();
	    TreeNode webApp = pu.parseXMLDocument(WEB_XML, is);
	    if (webApp == null
                    || !"2.4".equals(webApp.findAttribute("version"))) {
	        defaultIsELIgnored = "true";
	        return;
	    }

As such when the documentBuilder found a partial external entities,
like <!ENTITY base      SYSTEM "base.xml">, it has no idea of its root
location and as such consider as a file and provide it a dummy base
location.

What could be done it to use the ctxt.getResourceAsStream() after
cleaning the systemId reference from any file:// reference (ie:
file:///C:/eclipse3/base.xml => WEB-INF/base.xml).

Remmy do you agree on this since which such we stay independancy from
being on file or other way ?

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org