Bug 34034 - Jasper didn't respect external entities
Summary: Jasper didn't respect external entities
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Jasper (show other bugs)
Version: Nightly Build
Hardware: Other other
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 36284 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-03-16 14:57 UTC by Henri Gomez
Modified: 2005-08-20 13:31 UTC (History)
1 user (show)



Attachments
a patch to allow Jasper to resolve external entities located in WEBAPP (5.61 KB, patch)
2005-03-18 14:47 UTC, Henri Gomez
Details | Diff
Allow jasper to resolve external entities (4.16 KB, patch)
2005-03-23 15:36 UTC, Henri Gomez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Henri Gomez 2005-03-16 14:57:01 UTC
While converting my apps from Tomcat 3.3.x to Tomcat 5.5.x, I discovered a
serious bug in Jasper.

My web.xml is :

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd" [ 
    
<!ENTITY base      SYSTEM "base.xml">

]>

<web-app>

...
&base.xml;

</web-app>


Tomcat 5.0.30 and 5.5.8 have no problem in loading web.xml at startup, they
resolve since the base.xml external entity file is local to the WAR.

But jasper when it tried to compile it's first JSP fail with message :


Etat HTTP 500 -

type Rapport d'exception

message

description Le serveur a rencontré une erreur interne () qui l'a
empêché de satisfaire la requête.

exception

org.apache.jasper.JasperException: Erreur d'évaluation XML sur le
fichier /WEB-INF/web.xml
      
org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:113)
       org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:70)
       org.apache.jasper.compiler.JspConfig.init(JspConfig.java:188)
       org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:240)
       org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:103)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:267)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:255)
      
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:556)
      
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:296)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:291)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

cause mère

java.io.FileNotFoundException: C:\eclipse3\base.xml (Le fichier
spécifié est introuvable)
       java.io.FileInputStream.open(Native Method)
       java.io.FileInputStream.<init>(FileInputStream.java:106)
       java.io.FileInputStream.<init>(FileInputStream.java:66)
      
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:69)
      
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:156)
       org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
       org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
       org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
      
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEntityReference(Unknown
Source)
      
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
       org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
       org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
       org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
       org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
       javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
       org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:98)
       org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:70)
       org.apache.jasper.compiler.JspConfig.init(JspConfig.java:188)
       org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:240)
       org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:103)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:267)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:255)
      
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:556)
      
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:296)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:291)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

note La trace complète de la cause mère de cette erreur est disponible
dans les fichiers journaux de Apache Tomcat/5.5.8.

It seems that Jasper didn't use the WEBAPP path but start from my environnement
path, in my case eclipse3, c:\eclipse3, which is bad.
Comment 1 Remy Maucherat 2005-03-16 15:00:15 UTC
As promised ;)
Comment 2 Henri Gomez 2005-03-16 15:02:33 UTC
Reread xml spec, nothing prevent us to use external entities like this.
Also external entities are invalid when outside webapp, it's not the case here.

You should read :

My web.xml is :

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd" [ 
    
<!ENTITY base      SYSTEM "base.xml">

]>

<web-app>

...
&base;

</web-app>

Comment 3 Remy Maucherat 2005-03-16 15:04:26 UTC
Webapps are not necessarily filesystem based. As a result, that kind of little
tricks are not portable, and cannot be supported. As you know, I am very
efficient at marking reports invalid ;)
Comment 4 Remy Maucherat 2005-03-16 15:16:32 UTC
Actually, I just saw it maybe can work even when not filesystem based:
                if (altDDName != null) {
                    url = new File(altDDName).toURL();
                } else {
                    url = servletContext.getResource(
                                                Constants.ApplicationWebXml);
                }
                if( url!=null ) {
                    InputSource is = new InputSource(url.toExternalForm());
                    is.setByteStream(stream);

I still really don't care about the issue, but my big issue with this might go away.

This might teach people that it's not a good idea to bug me about something I
don't care about all morning long (some people you might not know about may have
gotten the same idea at the same time) ;)
Comment 5 Henri Gomez 2005-03-18 14:47:36 UTC
Created attachment 14517 [details]
a patch to allow Jasper to resolve external entities located in WEBAPP
Comment 6 Remy Maucherat 2005-03-18 16:05:36 UTC
if (systemId.startsWith("file:///WEB-INF/"))
  return new InputSource(ctxt.getResourceAsStream(systemId.substring(7)));

-> -1
No surprise here ...
Comment 7 Henri Gomez 2005-03-18 16:15:27 UTC
It's a trick :

if (systemId.startsWith("file:///WEB-INF/"))
  return new InputSource(ctxt.getResourceAsStream(systemId.substring(7)));

XML parser have a pseudo root origine set to /WEB-INF/ and as such you get the
systemId filed with 'file:///WEB-INF/whatever.xml' when you have defined a
<ENTITY what SYSTEM "whatever.xml">

With the substring 7 we remove the "file:////" and as such get
"/WEB-INF/whatever.xml" from ServletContext via getResourceAsStream.

So it should works EVEN if the webapp is not file based.

I do that to respect WHAT YOU REQUIRED, ie no InputSource from a File, just from
a resource.

Comment 8 william.barker 2005-03-18 20:17:32 UTC
It should be enough to do (in JspConfig):
  URL uri = ctcx.getResource(WEB_XML);
  InputSource ip = new InputSource(uri.openStream());
  ip.setSystemId(uri.toExternalForm());

and leave the EntityResolver alone.  Between Xerces and o.a.naming they can 
work out the relative Entity references.



Comment 9 Henri Gomez 2005-03-19 10:36:22 UTC
Well if it works, I'm happy with this patch.

Will try it Monday.

Thanks William
Comment 10 Henri Gomez 2005-03-19 11:09:49 UTC
Couldn't wait monday.

Ok it seems to works.

Resolver get a systemId : jndi:/localhost/webappname/WEB-INF/app.xml

And it works.

Only got in System.out :

19 mars 2005 11:06:49 org.apache.jasper.xmlparser.MyEntityResolver resolveEntity
GRAVE: PUBLIC ID invalide: null
19 mars 2005 11:06:57 org.apache.jasper.xmlparser.MyEntityResolver resolveEntity
GRAVE: PUBLIC ID invalide: null
19 mars 2005 11:06:59 org.apache.jasper.xmlparser.MyEntityResolver resolveEntity
GRAVE: PUBLIC ID invalide: null
19 mars 2005 11:07:00 org.apache.jasper.xmlparser.MyEntityResolver resolveEntity
GRAVE: PUBLIC ID invalide: null
19 mars 2005 11:07:02 org.apache.jasper.xmlparser.MyEntityResolver resolveEntity
GRAVE: PUBLIC ID invalide: null


So a simpler patch could be commited :)
Comment 11 Henri Gomez 2005-03-23 15:36:00 UTC
Created attachment 14546 [details]
Allow jasper to resolve external entities
Comment 12 Henri Gomez 2005-03-23 15:36:55 UTC
After Bill and Jan review, a new patch to close this BZ
Comment 13 william.barker 2005-08-20 21:31:37 UTC
*** Bug 36284 has been marked as a duplicate of this bug. ***