Bug 63359 - jsp:setProperty not spec compliant
Summary: jsp:setProperty not spec compliant
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 9.0.x
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-17 10:36 UTC by Mark Thomas
Modified: 2019-05-01 21:17 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Thomas 2019-04-17 10:36:45 UTC
I came across this while reviewing the coverity scan results.

JSP.5.2 sets out <jsp:setProperty> should behave. That references JSP.1.14.2.1 for conversion from String values. Reviewing the code there appear to be multiple related issues:
- PropertyEditor with null value may result in an exception when it should always be null
- Empty strings are not correctly coerced 
- Coercion to Object is to String[] rather than String
- Coercion to File is defined which is not present in the spec

Since this report originates from code inspection, test cases need to be constructed to validate the bugs above before fixing. It would also be prudent to run the full Tomcat test suite and the JSP TCK against any fix.
Comment 1 Mark Thomas 2019-05-01 21:04:03 UTC
Both the TCK and the Tomcat test suite pass with all the fixes in place.
Comment 2 Mark Thomas 2019-05-01 21:17:01 UTC
Fixed in:
- master for 9.0.20 onwards

I don't propose back-porting this unless and until someone complains that 8.5.x or 7.0.x isn't spec compliant. Given that this code has been wrong for well over a decade, I'm not expecting any such reports.