I have installed Tomcat 3.2.1 with the default configuration files -- still did not
care to make changes. Then connected to the examples page -- everything fine, examples
work.
However, showing the source of a jsp page using sourse.jsp does not work and throws
JspTagException.
In
$TOMCAT_HOME/webapps/examples/WEB-INF/classes/examples/ShowSource.java
the following code does that:
...
public int doEndTag() throws JspException {
if ((jspFile.indexOf( ".." ) >= 0) ||
(jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
(jspFile.toUpperCase().indexOf("/META-INF/") != 0))
throw new JspTagException("Invalid JSP file " + jspFile);
...
As far as I can recall the 2nd and the 3rd conditions were added for security reasons.
However, as I read them, they mean that the jsp file path SHOULD begin with
"/WEB-INF/" or "/META-INF/". Is it really what they meant? Shouldn't the access to
WEB-INF and META-INF be denied (i.e. in the above confitions '>= 0' or ' != -1', or at
least "= 0") -- at least this is what the apache conf chunk does. Well -- we have for
the numguess example an URL of
http://localhost:8080/examples/jsp/source.jsp?/jsp/num/numguess.jsp -- i.e. it does
not meet the condition and throws exception.
It is not clear to me what does an absolute path mean when calling a method from a jsp.
(Bellow is what I get if somebody cares to read it)
Thanx in advance for any assistance.
Best regards,
Emil S. Petkov
Error: 500
Location: /examples/jsp/source.jsp
Internal Servlet Error:
javax.servlet.ServletException: Invalid JSP file /jsp/num/numguess.jsp
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:459)
at
jsp._0002fjsp_0002fsource_0002ejspsource_jsp_1._jspService(_0002fjsp_0002fsource_0002ejspsource_jsp_1.java:89)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:177)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:318)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:391)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
at java.lang.Thread.run(Thread.java:484)
Root cause:
javax.servlet.jsp.JspTagException: Invalid JSP file /jsp/num/numguess.jsp
at examples.ShowSource.doEndTag(ShowSource.java:26)
at
jsp._0002fjsp_0002fsource_0002ejspsource_jsp_1._jspService(_0002fjsp_0002fsource_0002ejspsource_jsp_1.java:76)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:177)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:318)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:391)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210)
at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
at java.lang.Thread.run(Thread.java:484)
