Mark, For backwards compatibility, I think the restrictions to the TLD location need to follow the spec level used by the web application. Since JSP 1.1 didn't include much in the way of restrictions, I know of some legacy Servlet 2.2/JSP 1.1 webapps that would fail these restrictions if deployed to Tomcat 5 with this change (or Tomcat 4.1 with the port of this change). If you want, I can take a look at fixing this.
Cheers, Larry > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 03, 2004 8:57 AM > To: [EMAIL PROTECTED] > Subject: cvs commit: > jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/reso > urces messages.properties > > > markt 2004/01/03 05:56:39 > > Modified: jasper2/src/share/org/apache/jasper/compiler > TagLibraryInfoImpl.java > jasper2/src/share/org/apache/jasper/resources > messages.properties > Log: > - Fix bug 11069. Check that the location of the TLD file is > spec compliant. > > Revision Changes Path > 1.50 +11 -4 > jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/comp > iler/TagLibraryInfoImpl.java > > Index: TagLibraryInfoImpl.java > =================================================================== > RCS file: > /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/j > asper/compiler/TagLibraryInfoImpl.java,v > retrieving revision 1.49 > retrieving revision 1.50 > diff -u -r1.49 -r1.50 > --- TagLibraryInfoImpl.java 3 Jan 2004 12:17:18 -0000 1.49 > +++ TagLibraryInfoImpl.java 3 Jan 2004 13:56:38 -0000 1.50 > @@ -5,7 +5,7 @@ > * > * The Apache Software License, Version 1.1 > * > - * Copyright (c) 1999 The Apache Software Foundation. All rights > + * Copyright (c) 1999,2004 The Apache Software Foundation. > All rights > * reserved. > * > * Redistribution and use in source and binary forms, with > or without > @@ -200,6 +200,13 @@ > } > } catch (FileNotFoundException ex) { > > err.jspError("jsp.error.file.not.found", location[0]); > + } > + > + // Check TLD file location conforms to JSP.7.3.1 > + if (!location[0].startsWith("/WEB-INF/") > + || > location[0].startsWith("/WEB-INF/classes/") > + || > location[0].startsWith("/WEB-INF/lib/")) { > + > err.jspError("jsp.error.tld.invalid.location", location[0]); > } > > parseTLD(ctxt, location[0], in, null); > > > > 1.138 +2 -1 > jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/reso > urces/messages.properties > > Index: messages.properties > =================================================================== > RCS file: > /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/j > asper/resources/messages.properties,v > retrieving revision 1.137 > retrieving revision 1.138 > diff -u -r1.137 -r1.138 > --- messages.properties 11 Dec 2003 18:24:21 -0000 1.137 > +++ messages.properties 3 Jan 2004 13:56:39 -0000 1.138 > @@ -187,6 +187,7 @@ > jsp.error.tld.unable_to_read=Unable to read TLD \"{1}\" > from JAR file \"{0}\": {2} > jsp.error.tld.unable_to_get_jar=Unable to get JAR resource > \"{0}\" containing TLD: {1} > jsp.error.tld.missing_jar=Missing JAR resource \"{0}\" > containing TLD > +jsp.error.tld.invalid.location=\"{0}\" is not a valid > location for a TLD as per JSP specification JSP.7.3.1 > jsp.error.webxml_not_found=Could not locate web.xml > jsp.cmd_line.usage=Usage: jsptoservlet [-dd > <path/to/outputDirectory>] [-keepgenerated] \ > <.jsp files> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]