Author: kkolinko Date: Wed Jan 29 21:19:57 2014 New Revision: 1562597 URL: http://svn.apache.org/r1562597 Log: Make the xmlBlockExternal option in Catalina and Jasper to be true by default.
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/java/org/apache/jasper/JspC.java tomcat/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java tomcat/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java tomcat/trunk/java/org/apache/jasper/compiler/TagPluginManager.java tomcat/trunk/java/org/apache/jasper/compiler/TldCache.java tomcat/trunk/java/org/apache/jasper/servlet/JasperInitializer.java tomcat/trunk/java/org/apache/jasper/servlet/JspCServletContext.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/config/context.xml tomcat/trunk/webapps/docs/security-howto.xml Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Wed Jan 29 21:19:57 2014 @@ -675,7 +675,7 @@ public class StandardContext extends Con /** * Attribute used to turn on/off the use of external entities. */ - private boolean xmlBlockExternal = Globals.IS_SECURITY_ENABLED; + private boolean xmlBlockExternal = true; /** Modified: tomcat/trunk/java/org/apache/jasper/JspC.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/JspC.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/JspC.java (original) +++ tomcat/trunk/java/org/apache/jasper/JspC.java Wed Jan 29 21:19:57 2014 @@ -135,6 +135,7 @@ public class JspC extends Task implement protected static final String SWITCH_DUMP_SMAP = "-dumpsmap"; protected static final String SWITCH_VALIDATE_TLD = "-validateTld"; protected static final String SWITCH_BLOCK_EXTERNAL = "-blockExternal"; + protected static final String SWITCH_NO_BLOCK_EXTERNAL = "-no-blockExternal"; protected static final String SHOW_SUCCESS ="-s"; protected static final String LIST_ERRORS = "-l"; protected static final int INC_WEBXML = 10; @@ -166,7 +167,7 @@ public class JspC extends Task implement protected boolean trimSpaces = false; protected boolean genStringAsCharArray = false; protected boolean validateTld; - protected boolean blockExternal; + protected boolean blockExternal = true; protected boolean xpoweredBy; protected boolean mappedFile = false; protected boolean poolingEnabled = true; @@ -377,6 +378,8 @@ public class JspC extends Task implement setValidateTld(true); } else if (tok.equals(SWITCH_BLOCK_EXTERNAL)) { setBlockExternal(true); + } else if (tok.equals(SWITCH_NO_BLOCK_EXTERNAL)) { + setBlockExternal(false); } else { if (tok.startsWith("-")) { throw new JasperException("Unrecognized option: " + tok + @@ -1452,9 +1455,8 @@ public class JspC extends Task implement if (isValidateTld()) { context.setInitParameter(Constants.XML_VALIDATION_TLD_INIT_PARAM, "true"); } - if (isBlockExternal()) { - context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM, "true"); - } + context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM, + String.valueOf(isBlockExternal())); TldScanner scanner = new TldScanner( context, true, isValidateTld(), isBlockExternal()); Modified: tomcat/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java Wed Jan 29 21:19:57 2014 @@ -128,7 +128,7 @@ class ImplicitTagLibraryInfo extends Tag Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/JspDocumentParser.java Wed Jan 29 21:19:57 2014 @@ -129,7 +129,7 @@ class JspDocumentParser Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/java/org/apache/jasper/compiler/TagPluginManager.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/TagPluginManager.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/TagPluginManager.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/TagPluginManager.java Wed Jan 29 21:19:57 2014 @@ -66,7 +66,7 @@ public class TagPluginManager { Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/java/org/apache/jasper/compiler/TldCache.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/TldCache.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/TldCache.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/TldCache.java Wed Jan 29 21:19:57 2014 @@ -78,7 +78,7 @@ public class TldCache { Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/java/org/apache/jasper/servlet/JasperInitializer.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JasperInitializer.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/servlet/JasperInitializer.java (original) +++ tomcat/trunk/java/org/apache/jasper/servlet/JasperInitializer.java Wed Jan 29 21:19:57 2014 @@ -84,7 +84,7 @@ public class JasperInitializer implement Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/java/org/apache/jasper/servlet/JspCServletContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspCServletContext.java?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/servlet/JspCServletContext.java (original) +++ tomcat/trunk/java/org/apache/jasper/servlet/JspCServletContext.java Wed Jan 29 21:19:57 2014 @@ -136,7 +136,7 @@ public class JspCServletContext implemen Constants.XML_BLOCK_EXTERNAL_INIT_PARAM); boolean blockExternal; if (blockExternalString == null) { - blockExternal = Constants.IS_SECURITY_ENABLED; + blockExternal = true; } else { blockExternal = Boolean.parseBoolean(blockExternalString); } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Jan 29 21:19:57 2014 @@ -45,6 +45,14 @@ issues to not "pop up" wrt. others). --> <section name="Tomcat 8.0.1 (markt)"> + <subsection name="Catalina"> + <changelog> + <fix> + Change default value of <code>xmlBlockExternal</code> attribute of + Context. It is <code>true</code> now. (kkolinko) + </fix> + </changelog> + </subsection> <subsection name="Coyote"> <changelog> <fix> @@ -53,6 +61,16 @@ </fix> </changelog> </subsection> + <subsection name="Jasper"> + <changelog> + <fix> + Change default value of the <code>blockExternal</code> attribute of + JspC task. The default value is <code>true</code>. Add support for + <code>-no-blockExternal</code> switch when JspC is run as a + standalone application. (kkolinko) + </fix> + </changelog> + </subsection> <subsection name="WebSocket"> <changelog> <fix> Modified: tomcat/trunk/webapps/docs/config/context.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/context.xml?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/context.xml (original) +++ tomcat/trunk/webapps/docs/config/context.xml Wed Jan 29 21:19:57 2014 @@ -538,9 +538,8 @@ <code>web.xml</code>, <code>web-fragment.xml</code>, <code>*.tld</code>, <code>*.jspx</code>, <code>*.tagx</code> and <code>tagPlugins.xml</code> files for this web application will not permit external entities to be - loaded. If a <code>SecurityManager</code> is configured then the default - value of this attribute will be <code>true</code>, else the default - value will be <code>false</code>.</p> + loaded. If not specified, the default value of <code>true</code> will + be used.</p> </attribute> <attribute name="xmlNamespaceAware" required="false"> Modified: tomcat/trunk/webapps/docs/security-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1562597&r1=1562596&r2=1562597&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/security-howto.xml (original) +++ tomcat/trunk/webapps/docs/security-howto.xml Wed Jan 29 21:19:57 2014 @@ -179,9 +179,6 @@ <ul> <li>The default value for the <strong>deployXML</strong> attribute of the <strong>Host</strong> element is changed to <code>false</code>.</li> - <li>The default value for the <strong>xmlBlockExternal</strong> attribute - of the <strong>Context</strong> element is changed to <code>true</code>. - </li> </ul> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org