Bug 63359

Summary: jsp:setProperty not spec compliant
Product: Tomcat 9 Reporter: Mark Thomas <markt>
Component: JasperAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 9.0.x   
Target Milestone: -----   
Hardware: PC   
OS: Linux   

Description Mark Thomas 2019-04-17 10:36:45 UTC
I came across this while reviewing the coverity scan results.

JSP.5.2 sets out <jsp:setProperty> should behave. That references JSP. for conversion from String values. Reviewing the code there appear to be multiple related issues:
- PropertyEditor with null value may result in an exception when it should always be null
- Empty strings are not correctly coerced 
- Coercion to Object is to String[] rather than String
- Coercion to File is defined which is not present in the spec

Since this report originates from code inspection, test cases need to be constructed to validate the bugs above before fixing. It would also be prudent to run the full Tomcat test suite and the JSP TCK against any fix.
Comment 1 Mark Thomas 2019-05-01 21:04:03 UTC
Both the TCK and the Tomcat test suite pass with all the fixes in place.
Comment 2 Mark Thomas 2019-05-01 21:17:01 UTC
Fixed in:
- master for 9.0.20 onwards

I don't propose back-porting this unless and until someone complains that 8.5.x or 7.0.x isn't spec compliant. Given that this code has been wrong for well over a decade, I'm not expecting any such reports.