I came across this while reviewing the coverity scan results. JSP.5.2 sets out <jsp:setProperty> should behave. That references JSP.1.14.2.1 for conversion from String values. Reviewing the code there appear to be multiple related issues: - PropertyEditor with null value may result in an exception when it should always be null - Empty strings are not correctly coerced - Coercion to Object is to String[] rather than String - Coercion to File is defined which is not present in the spec Since this report originates from code inspection, test cases need to be constructed to validate the bugs above before fixing. It would also be prudent to run the full Tomcat test suite and the JSP TCK against any fix.
Both the TCK and the Tomcat test suite pass with all the fixes in place.
Fixed in: - master for 9.0.20 onwards I don't propose back-porting this unless and until someone complains that 8.5.x or 7.0.x isn't spec compliant. Given that this code has been wrong for well over a decade, I'm not expecting any such reports.