[Bug 69135] New: Tag files doing relative file include does not works in case tag is in jar

Thu, 13 Jun 2024 02:32:53 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69135

            Bug ID: 69135
           Summary: Tag files doing relative file include does not works
                    in case tag is in jar
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Jasper
          Assignee: dev@tomcat.apache.org
          Reporter: jke...@apache.org
  Target Milestone: -----

Tag files that are in jar package and using include like:
<%@ include file="/META-INF/include.jspf"%>
Works correctly

But tag files that are in jar package and using relative path file include
like:
<%@ include file="../include.jspf"%>
Doesn't works correctly.

Jasper compilation complains about file not found.
After some debugging in Jasper, it seem's that the JspUtil.getInputStream is
having the logic between in jar/not in jar:

        if (jar != null) {
            String jarEntryName = fname.substring(1);
            in = jar.getInputStream(jarEntryName);
        } else {
            in = ctxt.getResourceAsStream(fname);
        }

fname is built previously by ParserController.resolveFileName(String
inFileName)
But in case of relative inFileName, like: ../include.jspf
The output if the ParserController.resolveFileName(String inFileName) will be:
/META-INF/../include.jspf

It's a valid path, but when using this path on a Jar/ZipEntry it's not able to
find the entry.

May be the path need to be resolved first before looking for the entry in the
jar ? Something like:
Paths.get(fname).normalize().toString();

I'm sorry I was not able to find a fix in the code, also I did my tests on
Tomcat 9, but it look likes the code is similar in more recent versions.
But I did implemented unit tests to reproduce easily:
- one unit test of an absolute file include from a tag in a jar that works
- one unit test of a relative file include from a tag in a jar that fails

Here is the commit from my fork:
https://github.com/jkevan/tomcat/commit/eeda51262c4bbdc9e46b30f52ef7b7862a0e0b84
(didn't open a Pull request since I don't have a fix)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to