Author: markt Date: Fri Dec 13 12:23:44 2013 New Revision: 1550706 URL: http://svn.apache.org/r1550706 Log: Alternative fix for normalization issue that doesn't depend on RequestUtils which isn't available to Jasper.
Modified: tomcat/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java Modified: tomcat/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java?rev=1550706&r1=1550705&r2=1550706&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java Fri Dec 13 12:23:44 2013 @@ -19,6 +19,8 @@ package org.apache.jasper.compiler; import java.io.IOException; import java.io.PrintWriter; import java.io.StringWriter; +import java.net.URI; +import java.net.URISyntaxException; import java.net.URL; import java.util.ArrayList; import java.util.Collection; @@ -46,7 +48,6 @@ import org.apache.tomcat.util.descriptor import org.apache.tomcat.util.descriptor.tld.TaglibXml; import org.apache.tomcat.util.descriptor.tld.TldResourcePath; import org.apache.tomcat.util.descriptor.tld.ValidatorXml; -import org.apache.tomcat.util.http.RequestUtil; import org.apache.tomcat.util.scan.Jar; /** @@ -215,7 +216,17 @@ class TagLibraryInfoImpl extends TagLibr } else if (uri.charAt(0) != '/') { // noroot_rel_uri, resolve against the current JSP page uri = ctxt.resolveRelativeUri(uri); - uri = RequestUtil.normalize(uri); + try { + // Can't use RequestUtils.normalize since that package is not + // available to Jasper. + uri = (new URI(uri)).normalize().toString(); + if (uri.startsWith("../")) { + // Trying to go outside context root + err.jspError("jsp.error.taglibDirective.uriInvalid", uri); + } + } catch (URISyntaxException e) { + err.jspError("jsp.error.taglibDirective.uriInvalid", uri); + } } URL url = null; --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org