Summary: | Jsp spec violation in tld identifying? | ||
---|---|---|---|
Product: | Tomcat 7 | Reporter: | Huxing Zhang <huxing.zhang> |
Component: | Jasper | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | evan.greensmith |
Priority: | P2 | ||
Version: | trunk | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: | patch against tomcat 7 trunk |
Description
Huxing Zhang
2016-06-02 02:26:01 UTC
Created attachment 33908 [details]
patch against tomcat 7 trunk
The improved message part of the fix has been applied to: - 9.0.x for 9.0.0.M7 onwards - 8.5.x for 8.5.3 onwards - 8.0.x for 8.0.36 onwards Patch applied to 7.0.x for 7.0.70 onwards and 6.0p.x for 6.0.46 onwards. I think this should just be a warning in older releases of Tomcat. Our application does place taglibs here. The application was built against servlet spec 2.5 (as declared in the web.xml) and the accompanying JSP spec 2.1, where there was no such requirement. We can update this for future versions of the product, but clients with older versions won't be able to pick up any Tomcat security fixes past 7.0.69. (In reply to Mark Thomas from comment #3) > Patch applied to 7.0.x for 7.0.70 onwards and 6.0p.x for 6.0.46 onwards. I think applying this to 6.0.x is a bug. The "which version?" page http://tomcat.apache.org/whichversion.html states 6.0.x uses jsp spec 2.1, where this is not a requirement. The requirement does apply to Tomcat 7.0.x and 6.0.x. It is present in JSP 2.1 and JSP 2.2. It is in the same section (JSP.7.3.1) as quoted in the original report. (In reply to Mark Thomas from comment #6) > The requirement does apply to Tomcat 7.0.x and 6.0.x. It is present in JSP > 2.1 and JSP 2.2. It is in the same section (JSP.7.3.1) as quoted in the > original report. You're right. I was mistaken. It is a frustrating change to back-port so far. Admittedly we're complicit in being non-compliant to the spec; though the same can be said for tomcat, websphere and weblogic, which all did allow this. It is not a change that will fix any application. C'est la vie, I guess. |