Bug 59913

Summary: Tomcat 8.5.x missing javax.servlet.forward.* attributes in an included jsp
Product: Tomcat 8 Reporter: Andy Wang <dopey>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.5.4   
Target Milestone: ----   
Hardware: PC   
OS: Linux   
Attachments: Example webapp

Description Andy Wang 2016-07-30 02:23:28 UTC
Created attachment 34081 [details]
Example webapp

I have a really simply example (courtesy of the developer that discovered this issue) at:
https://dl.dropboxusercontent.com/u/24563006/TestApp.war

It contains a test.jsp that does:

<%
   String href= "/WEB-INF/jsp/test/test1.jsp";
   RequestDispatcher rd = request.getRequestDispatcher(href);
   rd.forward(request, response);
%>

test1.jsp simply dumps out all the attributes and then:
<jsp:include page="/WEB-INF/jsp/test/test2.jsp" />

and test2.jsp dumps out attributes again.

In tomcat 8.0.36 the output of
http://server/TestApp/test.jsp is:

You are in test1.jsp 

test1 inRequest org.apache.catalina.core.ApplicationHttpRequest@22f9afc4
test1 inRequest.getServletPath() /WEB-INF/jsp/test/test1.jsp
javax.servlet.forward.request_uri :: /TestApp/test.jsp
javax.servlet.forward.context_path :: /TestApp
javax.servlet.forward.servlet_path :: /test.jsp



You are in test2.jsp 

test2 inRequest org.apache.catalina.core.ApplicationHttpRequest@21695eed
test2 inRequest.getServletPath() /WEB-INF/jsp/test/test1.jsp
javax.servlet.include.request_uri :: /TestApp/WEB-INF/jsp/test/test2.jsp
javax.servlet.include.context_path :: /TestApp
javax.servlet.include.servlet_path :: /WEB-INF/jsp/test/test2.jsp
javax.servlet.forward.request_uri :: /TestApp/test.jsp
javax.servlet.forward.context_path :: /TestApp
javax.servlet.forward.servlet_path :: /test.jsp

Note that the "You are in test2.jsp" block contains javax.servlet.forward.*

In tomcat 8.5.4 (and 8.5.3 too)
It looks like:
You are in test1.jsp 

test1 inRequest org.apache.catalina.core.ApplicationHttpRequest@31d80a34
test1 inRequest.getServletPath() /WEB-INF/jsp/test/test1.jsp
javax.servlet.forward.request_uri :: /TestApp/test.jsp
javax.servlet.forward.context_path :: /TestApp
javax.servlet.forward.servlet_path :: /test.jsp
javax.servlet.forward.mapping :: org.apache.catalina.core.ApplicationMapping$MappingImpl@6a64c5b8



You are in test2.jsp 

test2 inRequest org.apache.catalina.core.ApplicationHttpRequest@1130eccf
test2 inRequest.getServletPath() /WEB-INF/jsp/test/test1.jsp
javax.servlet.include.request_uri :: /TestApp/WEB-INF/jsp/test/test2.jsp
javax.servlet.include.context_path :: /TestApp
javax.servlet.include.servlet_path :: /WEB-INF/jsp/test/test2.jsp
javax.servlet.include.mapping :: org.apache.catalina.core.ApplicationMapping$MappingImpl@7e9a01d5


Servlet spec section 9.4.2 Forwarded Request Parameters
states this:
These attributes are accessible from the forwarded servlet via the
getAttribute method on the request object. Note that these attributes must always reflect the information in the original request even under the situation that multiple forwards and subsequent includes are called.
Comment 1 Mark Thomas 2016-08-09 21:24:23 UTC
Thanks for the report and the test case. A good example of why magic values cause maintenance problems.

Only 9.0.x and 8.5.x were affected. This has been fixed in:
- 9.0.x for 9.0.0.M10 onwards
- 8.5.x for 8.5.5 onwards