Re: stopping scanning of TLDs
Thanks for your help Chris. Here is my final script to do this right. -/local/bin/tld_scan:#!/bin/bash - # find tldS - Ray Holme 2017 # embedded spaces in filenames wreak havoc if [ $# -eq 0 ]; then echo " usage $0 list-of-jar-files" exit 1 fi VERBOSE=0 LIST= WORK=/tmp/$$.wrk for i in $* do if [ "$i" = "-v" -o "$i" = "V" ]; then VERBOSE=1 elif [ ! -f "$i" ]; then echo " $i not found" else echo $i | grep -i "\.jar$" > $WORK if [ -s $WORK ]; then LIST="$LIST $i" else echo " $i not a jar" fi fi done if [ "$LIST" = "" ]; then echo nothing to do exit 0 fi for i in $LIST do unzip -l "$i" | grep -i "\.tld" > $WORK if [ -s $WORK ]; then echo " $i contains tlds" elif [ $VERBOSE -gt 0 ]; then echo " $i has no tlds" fi done exit 0 On Thursday, November 9, 2017 11:19 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 11/8/17 3:51 PM, Ray Holme wrote: > this makes it easy in linux or mac land for i in *.jar; do echo > scanning $i; jar tf $i | grep "\.tld"; sleep 1; done I'd change that to: $ for i in *.jar; do echo scanning $i; unzip -l "$i" | grep -i "\.tld" ; done Changes: 1. Use unzip instead of jar. It's much faster. 2. Quote "$i", in case the filename contain (*shudder*) spaces 3. Use -i switch with grep, in case the filename happens to be TAGLIB.TL D - -chris > -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > > Ray, > > On 11/8/17 11:24 AM, Ray Holme wrote: >> In a prior post, I asked if there was a way to see if a jar uses >> a tag library. Chris responded - look for ".tld" in the files. > > To clarify, I was responding to a question as to whether a JAR > file *contained* a tag library, not that it used one. Big > difference. > >> So I looked (turns out ecj.. has no ".tld": $ grep "tld" >> *.jarBinary file catalina-storeconfig.jar matches Binary file >> ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches > > I agree with Chris Cheshire: check the ZIP contents list and not a > binary check. Though the ZIP filenames are stored (mostly) in the > clear, it's possible that you might get unlucky. Also make sure > you use a case-insensitive check. > >> I am just trying to find a reliable way to see if there is TAG >> library. > > Searching for .tld files ought to do it. > > Have you found a case where this *didn't* work? > > - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - > http://gpgtools.org Comment: Using GnuPG with Thunderbird - > http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloDaJ0dHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgcMQ/8Dv1fKlSVTjyznXD5 > cYi2HPYt+enG2bMSzJICEhpQEHn6S0S1Veaf4pGfM1m27KPqvdghDgqGB/yoGt4P > 2YU6LF8xa7AHVIvx+TwFtwcyL58NcqpO6uFM1MsUiAa3VYGUTY63R1B4EkTeWHuB > HoEDDIi17hOBGivctsFjkBaNgCKpnN4SUpMg3b9f4SZHgI4DjFIm0AQGUsI5pstQ > NKHzc/QFYu4+qqtb+A41cawf0jpvBtk2mY6SGqPu930SNWGpy8C5iQnyEguBS9ts > ZJVx3uYHBUFDByv+Cjudu7oJ1ceFrGQWWT6IumzMRQwL4RqueKLSjW2nXGR2gYmb > tF23FlKIQ2jljn5YgKkMmfgkQ2MeAbTJcubJBdJBT2LrzAKxK+0Ms2HCjfGBo777 > GeRJ5JPHku0h3sn5clnYwsGMP1lcut+353VuNJsHg9NyhltBm7ubHB2240vaEGFF > CxpNBa/VZuMRbu1Jp8OmCTO232sjHWY0b8ySESy0CQXYHx5S3/pCB8IoLfGV8VVh > VQChjyJcsUePa0qmioi6kmKPeluy9J63POXgiPk+UCKUgr3R0Ogc2Fu+sqE3CkqK > 0zf4Op/FALSfSqq67LTksy2oz4Ep1QC7CjKR2C/KG0nf6zaAPMVccmpqwccOuGWU > acEI1f6+9qXg6ZZQNneKsqr9Sfw= =kaCd -END PGP SIGNATURE- > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEgBQdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgsuw/+IE2s4l93jQcAMKcL 0bbQ3lqski6L6zgaq38odjPgyMvx1tWugGKRY8vDsBpGl2b/hFmm4R5V+D6i4lX+ kq6el8pqrvimx/o/R+81eZxQ/PgMFj8I1Gp900gnnEarO9QsrnbWZnV85+HN75OG cAwvjpdL8KcCabiw8r3jxXTmfS3xCKW9F/RBj+nftwV1tT8V/tBqWl3WsryZBlER xG+cpijACb51z0e3Lo6N2+S/kFHKPk7xBhh+IWp2lPdrBY2I6YbR53kwP9ZG76+g qYB/LPawQjSFVBUoMgpg/HSitay9sgwOeUcHnNcZRsQqNvMuf+WOCRope/tnGV48 xqbHE4xRJV7m13glAgtDugWjNNqVw4zEpzoZHFnnXyy4zrZ5iYO38NiMf8Ni8rwU 6BS4gVAnEAHTF29j1iFsRTOxsqrxBdMXhlNyk+NThpY3GyZr1OHc2D3XXb5av0zM 3GOq8rmrNy7ck7T0BuoHQmkEfJWsv0R0INVYuysJd01dFl3aQ+JQ9BNhyhcnGR9f EyN0R+yKjNnUUiCUDhGE7zBxcqK7mda/T1Qzb4o40efY6zYno7Er6W4Rf0e4Y4Tl juPT/z+asZrGva4LvVYnFHH21OgyNF47S80CnL0RafqPJuN0/EFxOUjknU24afL2 cUY3WrObveDJ1n9lsfSCKlNE4Qg= =mNz6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 11/8/17 3:51 PM, Ray Holme wrote: > this makes it easy in linux or mac land for i in *.jar; do echo > scanning $i; jar tf $i | grep "\.tld"; sleep 1; done I'd change that to: $ for i in *.jar; do echo scanning $i; unzip -l "$i" | grep -i "\.tld" ; done Changes: 1. Use unzip instead of jar. It's much faster. 2. Quote "$i", in case the filename contain (*shudder*) spaces 3. Use -i switch with grep, in case the filename happens to be TAGLIB.TL D - -chris > -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > > Ray, > > On 11/8/17 11:24 AM, Ray Holme wrote: >> In a prior post, I asked if there was a way to see if a jar uses >> a tag library. Chris responded - look for ".tld" in the files. > > To clarify, I was responding to a question as to whether a JAR > file *contained* a tag library, not that it used one. Big > difference. > >> So I looked (turns out ecj.. has no ".tld": $ grep "tld" >> *.jarBinary file catalina-storeconfig.jar matches Binary file >> ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches > > I agree with Chris Cheshire: check the ZIP contents list and not a > binary check. Though the ZIP filenames are stored (mostly) in the > clear, it's possible that you might get unlucky. Also make sure > you use a case-insensitive check. > >> I am just trying to find a reliable way to see if there is TAG >> library. > > Searching for .tld files ought to do it. > > Have you found a case where this *didn't* work? > > - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - > http://gpgtools.org Comment: Using GnuPG with Thunderbird - > http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloDaJ0dHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgcMQ/8Dv1fKlSVTjyznXD5 > cYi2HPYt+enG2bMSzJICEhpQEHn6S0S1Veaf4pGfM1m27KPqvdghDgqGB/yoGt4P > 2YU6LF8xa7AHVIvx+TwFtwcyL58NcqpO6uFM1MsUiAa3VYGUTY63R1B4EkTeWHuB > HoEDDIi17hOBGivctsFjkBaNgCKpnN4SUpMg3b9f4SZHgI4DjFIm0AQGUsI5pstQ > NKHzc/QFYu4+qqtb+A41cawf0jpvBtk2mY6SGqPu930SNWGpy8C5iQnyEguBS9ts > ZJVx3uYHBUFDByv+Cjudu7oJ1ceFrGQWWT6IumzMRQwL4RqueKLSjW2nXGR2gYmb > tF23FlKIQ2jljn5YgKkMmfgkQ2MeAbTJcubJBdJBT2LrzAKxK+0Ms2HCjfGBo777 > GeRJ5JPHku0h3sn5clnYwsGMP1lcut+353VuNJsHg9NyhltBm7ubHB2240vaEGFF > CxpNBa/VZuMRbu1Jp8OmCTO232sjHWY0b8ySESy0CQXYHx5S3/pCB8IoLfGV8VVh > VQChjyJcsUePa0qmioi6kmKPeluy9J63POXgiPk+UCKUgr3R0Ogc2Fu+sqE3CkqK > 0zf4Op/FALSfSqq67LTksy2oz4Ep1QC7CjKR2C/KG0nf6zaAPMVccmpqwccOuGWU > acEI1f6+9qXg6ZZQNneKsqr9Sfw= =kaCd -END PGP SIGNATURE- > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloEgBQdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgsuw/+IE2s4l93jQcAMKcL 0bbQ3lqski6L6zgaq38odjPgyMvx1tWugGKRY8vDsBpGl2b/hFmm4R5V+D6i4lX+ kq6el8pqrvimx/o/R+81eZxQ/PgMFj8I1Gp900gnnEarO9QsrnbWZnV85+HN75OG cAwvjpdL8KcCabiw8r3jxXTmfS3xCKW9F/RBj+nftwV1tT8V/tBqWl3WsryZBlER xG+cpijACb51z0e3Lo6N2+S/kFHKPk7xBhh+IWp2lPdrBY2I6YbR53kwP9ZG76+g qYB/LPawQjSFVBUoMgpg/HSitay9sgwOeUcHnNcZRsQqNvMuf+WOCRope/tnGV48 xqbHE4xRJV7m13glAgtDugWjNNqVw4zEpzoZHFnnXyy4zrZ5iYO38NiMf8Ni8rwU 6BS4gVAnEAHTF29j1iFsRTOxsqrxBdMXhlNyk+NThpY3GyZr1OHc2D3XXb5av0zM 3GOq8rmrNy7ck7T0BuoHQmkEfJWsv0R0INVYuysJd01dFl3aQ+JQ9BNhyhcnGR9f EyN0R+yKjNnUUiCUDhGE7zBxcqK7mda/T1Qzb4o40efY6zYno7Er6W4Rf0e4Y4Tl juPT/z+asZrGva4LvVYnFHH21OgyNF47S80CnL0RafqPJuN0/EFxOUjknU24afL2 cUY3WrObveDJ1n9lsfSCKlNE4Qg= =mNz6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
this makes it easy in linux or mac land for i in *.jar; do echo scanning $i; jar tf $i | grep "\.tld"; sleep 1; done On Wednesday, November 8, 2017 3:27 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 11/8/17 11:24 AM, Ray Holme wrote: > In a prior post, I asked if there was a way to see if a jar uses a > tag library. Chris responded - look for ".tld" in the files. To clarify, I was responding to a question as to whether a JAR file *contained* a tag library, not that it used one. Big difference. > So I looked (turns out ecj.. has no ".tld": $ grep "tld" > *.jarBinary file catalina-storeconfig.jar matches Binary file > ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches I agree with Chris Cheshire: check the ZIP contents list and not a binary check. Though the ZIP filenames are stored (mostly) in the clear, it's possible that you might get unlucky. Also make sure you use a case-insensitive check. > I am just trying to find a reliable way to see if there is TAG > library. Searching for .tld files ought to do it. Have you found a case where this *didn't* work? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloDaJ0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgcMQ/8Dv1fKlSVTjyznXD5 cYi2HPYt+enG2bMSzJICEhpQEHn6S0S1Veaf4pGfM1m27KPqvdghDgqGB/yoGt4P 2YU6LF8xa7AHVIvx+TwFtwcyL58NcqpO6uFM1MsUiAa3VYGUTY63R1B4EkTeWHuB HoEDDIi17hOBGivctsFjkBaNgCKpnN4SUpMg3b9f4SZHgI4DjFIm0AQGUsI5pstQ NKHzc/QFYu4+qqtb+A41cawf0jpvBtk2mY6SGqPu930SNWGpy8C5iQnyEguBS9ts ZJVx3uYHBUFDByv+Cjudu7oJ1ceFrGQWWT6IumzMRQwL4RqueKLSjW2nXGR2gYmb tF23FlKIQ2jljn5YgKkMmfgkQ2MeAbTJcubJBdJBT2LrzAKxK+0Ms2HCjfGBo777 GeRJ5JPHku0h3sn5clnYwsGMP1lcut+353VuNJsHg9NyhltBm7ubHB2240vaEGFF CxpNBa/VZuMRbu1Jp8OmCTO232sjHWY0b8ySESy0CQXYHx5S3/pCB8IoLfGV8VVh VQChjyJcsUePa0qmioi6kmKPeluy9J63POXgiPk+UCKUgr3R0Ogc2Fu+sqE3CkqK 0zf4Op/FALSfSqq67LTksy2oz4Ep1QC7CjKR2C/KG0nf6zaAPMVccmpqwccOuGWU acEI1f6+9qXg6ZZQNneKsqr9Sfw= =kaCd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ray, On 11/8/17 11:24 AM, Ray Holme wrote: > In a prior post, I asked if there was a way to see if a jar uses a > tag library. Chris responded - look for ".tld" in the files. To clarify, I was responding to a question as to whether a JAR file *contained* a tag library, not that it used one. Big difference. > So I looked (turns out ecj.. has no ".tld": $ grep "tld" > *.jarBinary file catalina-storeconfig.jar matches Binary file > ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches I agree with Chris Cheshire: check the ZIP contents list and not a binary check. Though the ZIP filenames are stored (mostly) in the clear, it's possible that you might get unlucky. Also make sure you use a case-insensitive check. > I am just trying to find a reliable way to see if there is TAG > library. Searching for .tld files ought to do it. Have you found a case where this *didn't* work? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloDaJ0dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgcMQ/8Dv1fKlSVTjyznXD5 cYi2HPYt+enG2bMSzJICEhpQEHn6S0S1Veaf4pGfM1m27KPqvdghDgqGB/yoGt4P 2YU6LF8xa7AHVIvx+TwFtwcyL58NcqpO6uFM1MsUiAa3VYGUTY63R1B4EkTeWHuB HoEDDIi17hOBGivctsFjkBaNgCKpnN4SUpMg3b9f4SZHgI4DjFIm0AQGUsI5pstQ NKHzc/QFYu4+qqtb+A41cawf0jpvBtk2mY6SGqPu930SNWGpy8C5iQnyEguBS9ts ZJVx3uYHBUFDByv+Cjudu7oJ1ceFrGQWWT6IumzMRQwL4RqueKLSjW2nXGR2gYmb tF23FlKIQ2jljn5YgKkMmfgkQ2MeAbTJcubJBdJBT2LrzAKxK+0Ms2HCjfGBo777 GeRJ5JPHku0h3sn5clnYwsGMP1lcut+353VuNJsHg9NyhltBm7ubHB2240vaEGFF CxpNBa/VZuMRbu1Jp8OmCTO232sjHWY0b8ySESy0CQXYHx5S3/pCB8IoLfGV8VVh VQChjyJcsUePa0qmioi6kmKPeluy9J63POXgiPk+UCKUgr3R0Ogc2Fu+sqE3CkqK 0zf4Op/FALSfSqq67LTksy2oz4Ep1QC7CjKR2C/KG0nf6zaAPMVccmpqwccOuGWU acEI1f6+9qXg6ZZQNneKsqr9Sfw= =kaCd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
On Wed, Nov 8, 2017 at 11:24 AM, Ray Holme wrote: > In a prior post, I asked if there was a way to see if a jar uses a tag > library. > Chris responded - look for ".tld" in the files. > So I looked (turns out ecj.. has no ".tld": > $ grep "tld" *.jarBinary file catalina-storeconfig.jar matches > Binary file ecj-4.6.1.jar matches > Binary file tomcat-util-scan.jar matches > I am just trying to find a reliable way to see if there is TAG library. > Ray, instead of doing a grep on the jar contents as a whole, do it based upon the file names within the jar and match the files ending in '.tld' $ jar tf tomcat-util-scan.jar | grep "\.tld$" $ jar tf catalina-storeconfig.jar | grep "\.tld$" $ jar tf ecj-4.6.3.jar | grep "\.tld$" $ jar tf javax.servlet.jsp.jstl-1.2.1.jar | grep "\.tld$" META-INF/fmt-1_0-rt.tld META-INF/scriptfree.tld META-INF/fmt-1_0.tld META-INF/x-1_0.tld META-INF/sql.tld META-INF/c.tld META-INF/x-1_0-rt.tld META-INF/sql-1_0.tld META-INF/sql-1_0-rt.tld META-INF/permittedTaglibs.tld META-INF/x.tld META-INF/c-1_0-rt.tld META-INF/c-1_0.tld META-INF/fn.tld META-INF/fmt.tld Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
In a prior post, I asked if there was a way to see if a jar uses a tag library. Chris responded - look for ".tld" in the files. So I looked (turns out ecj.. has no ".tld": $ grep "tld" *.jarBinary file catalina-storeconfig.jar matches Binary file ecj-4.6.1.jar matches Binary file tomcat-util-scan.jar matches I am just trying to find a reliable way to see if there is TAG library. On Wednesday, November 8, 2017 10:29 AM, Mark Thomas wrote: On 08/11/2017 12:59, Ray Holme wrote: > The following three are interesting as they are in the tomcat distributed > list of NOT-TO_SCAN and have .tlds: catalina-storeconfig.jar; ecj-4.6.1.jar; > tomcat-util-scan.jar No, they don't. What led you to conclude that they did? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: stopping scanning of TLDs
On 08/11/2017 12:59, Ray Holme wrote: > The following three are interesting as they are in the tomcat distributed > list of NOT-TO_SCAN and have .tlds: catalina-storeconfig.jar; ecj-4.6.1.jar; > tomcat-util-scan.jar No, they don't. What led you to conclude that they did? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
stopping scanning of TLDs
Using Chris's algorithm, I searched for ".tld" in all jars used by both tomcat and my application extending it. The following two were in my .../WEB-INF/lib directory and needed to NOT be in the list of NOT-TO_SCAN i.e. ... they need to be scanned: jasperreports-5.1.0.jar matches; jstl-impl-1.2.jar matches The following three are interesting as they are in the tomcat distributed list of NOT-TO_SCAN and have .tlds: catalina-storeconfig.jar; ecj-4.6.1.jar; tomcat-util-scan.jar The latter 3 are more interesting as I am surprised they are there (except for the last one :=]]] )
