tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emil S. Petkov" <emil.pet...@usa.net>
Subject ShowSource in examples throws exception
Date Wed, 11 Apr 2001 09:53:48 GMT
I have installed Tomcat 3.2.1 with the default configuration files -- still did not care to
make changes. Then connected to the examples page -- everything fine, examples work.

However, showing the source of a jsp page using sourse.jsp does not work and throws JspTagException.
In
$TOMCAT_HOME/webapps/examples/WEB-INF/classes/examples/ShowSource.java
the following code does that:

...
    public int doEndTag() throws JspException {
        if ((jspFile.indexOf( ".." ) >= 0) ||
            (jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
            (jspFile.toUpperCase().indexOf("/META-INF/") != 0))
            throw new JspTagException("Invalid JSP file " + jspFile);
...

As far as I can recall the 2nd and the 3rd conditions were added for security reasons. However,
as I read them, they mean that the jsp file path SHOULD begin with "/WEB-INF/" or "/META-INF/".
Is it really what they meant? Shouldn't the access to WEB-INF and META-INF be denied (i.e.
in the above confitions '>= 0' or ' != -1', or at least "= 0") -- at least this is what
the apache conf chunk does. Well -- we have for the numguess example an URL of http://localhost:8080/examples/jsp/source.jsp?/jsp/num/numguess.jsp
-- i.e. it does not meet the condition and throws exception.

It is not clear to me what does an absolute path mean when calling a method from a jsp.

(Bellow is what I get if somebody cares to read it)

Thanx in advance for any assistance.

Best regards,
Emil S. Petkov


Error: 500
Location: /examples/jsp/source.jsp
Internal Servlet Error:

javax.servlet.ServletException: Invalid JSP file /jsp/num/numguess.jsp
 at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:459)
 at jsp._0002fjsp_0002fsource_0002ejspsource_jsp_1._jspService(_0002fjsp_0002fsource_0002ejspsource_jsp_1.java:89)
 at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:177)
 at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:318)
 at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:391)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
 at org.apache.tomcat.core.Handler.service(Handler.java:286)
 at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
 at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
 at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
 at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210)
 at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
 at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
 at java.lang.Thread.run(Thread.java:484)

Root cause: 
javax.servlet.jsp.JspTagException: Invalid JSP file /jsp/num/numguess.jsp
 at examples.ShowSource.doEndTag(ShowSource.java:26)
 at jsp._0002fjsp_0002fsource_0002ejspsource_jsp_1._jspService(_0002fjsp_0002fsource_0002ejspsource_jsp_1.java:76)
 at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:177)
 at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:318)
 at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:391)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
 at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
 at org.apache.tomcat.core.Handler.service(Handler.java:286)
 at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
 at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
 at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
 at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210)
 at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
 at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
 at java.lang.Thread.run(Thread.java:484)




Mime
View raw message