Bug 18477

Summary: JspC: unable to precompile linked jsp files
Product: Tomcat 4 Reporter: Chialin Wang <clw226>
Component: Jasper 2Assignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 4.1.18   
Target Milestone: ---   
Hardware: Other   
OS: other   
Attachments: Patch to allow not following symbolic links when reading JSPs and JARs.

Description Chialin Wang 2003-03-28 18:16:31 UTC 
Here's the command I used to precompile my web application:
  
  java -classpath
~/tomcat/common/lib/servlet.jar:~/tomcat/common/lib/jasper-compiler.jar:~/tomcat/common/lib/jasper-runtime.jar:~/tomcat/common/lib/ant.jar
org.apache.jasper.JspC -v6 -l -s -d /tmp/ -uriroot $PROJECT_HOME/$CLIENT/pages
$PROJECT_HOME/$CLIENT/pages/core/application_attributes.jsp. The file is
actually under $PROJECT_HOME/base/core.

Jspc generates an empty application_attributes_jsp.java under
/tmp/$PRJECT_HOME/$CLIENT/pages/core.

It seems Jspc is using canonical path of the jsp file and based on that, it 
changs the outputDir. 

Is there a way to get around it?

cw
Comment 1 Daniel Collins 2003-12-05 16:21:03 UTC 
We have the same problem in our development environment. I wanted to precompile 
our JSPs (for performance), but our version control system creates all files in 
the workarea as symbolic links to another area of the disk hence our JSPs 
couldn't be compiled. (As an aside it also got thrown by the JARs in WEB-
INF/lib being symbolic links as well).

I remember there was an earlier bug (#12049) related to symbolic links and 
security seemed to be the problem (which I can understand, in a real webapp you 
wouldn't want symbolic links to other parts of the disk where files could be 
tampered with), but for standalone precompilation it shouldn't be a problem.
I would have thought that Tomcat (or whatever server you are using) should 
really handle the issue of symbolic links being allowed or not but I'm not that 
well up on it really.

I found 3 places in JspC.java that were using getCanonicalPath() that caused me 
problems -
initClassLoader() for the JARs,
locateUriRoot() only used if you don't specify -uriRoot,
execute() where the pathnames for the JSPs are converted to URIs relative to 
uriRoot.

I've patched our system locally to allow us to compile these links (security 
isn't a problem since its only for precompiling in our development area), I'll 
tidy that up a bit and submit it.
Comment 2 Daniel Collins 2003-12-05 16:22:01 UTC 
Created attachment 9419 [details]
Patch to allow not following symbolic links when reading JSPs and JARs.
Comment 3 Mark Thomas 2005-03-29 23:49:09 UTC 
The fix for bug 28147 changed one of the 3 instances identified in the patch
above to use getAbsoluteXXX() instead of getCanonicalXXX(). I see no reason why
this should be OK for one instance and not the other two so I have ported the
28147 patch from TC5 and replaced the other two instances as well.