Bug 36362

Summary: missing check for Java reserved keywords in tag file processing
Product: Tomcat 5 Reporter: erickson_d
Component: JasperAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 5.0.28   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: webapps/examples/WEB-INF/tags/helloWorld.tag

Description erickson_d 2005-08-25 21:35:27 UTC 
Tag file attribute names are used as identifiers in Java source code generated
from the tag file without any mangling.  If the attribute name is a Java
keyword, this leads to a compilation error.  As an example, try to use the
following tag file, bug.tag

<%@ tag isELIgnored="false" %>
<%@ attribute name="default" %>
${default}

Somewhere during tag file processing, attribute names could be checked against
the list of Java keywords in org.apache.jasper.compiler.JspUtils
Comment 1 Mark Thomas 2011-04-10 06:40:28 UTC 
The check actually needs to be stricter than that - it needs to ensure the attribute name is a valid Java identifier.

The check has been added in 7.0.x and it will be included in 7.0.13 onwards.

The same fix hasbeen proposed for 5.5.x and 6.0.x.
Comment 2 erickson_d 2011-04-11 16:43:20 UTC 
I couldn't find anything in the specification that requires attribute names to be valid Java identifiers, or prohibits them from being reserved Java keywords.

I believe reserved words should be mangled to become valid Java identifiers, rather than resulting in a compilation error.

A test case would be that a tag with an attribute named "default" should compile.
Comment 3 Mark Thomas 2011-04-11 18:32:08 UTC 
Yep, I was reading JSP.8.3 too quickly. I'll revert the 7.0.x fix and withdraw the patch proposals while I take a second look at this.
Comment 4 Mark Thomas 2011-06-23 15:49:53 UTC 
This should really be a bug, not an enhancement. Marking as such.
Comment 5 Mark Thomas 2011-06-23 15:57:48 UTC 
Fixed in 7.0.x and will be included in 7.0.17 onwards.

Proposed for 6.0.x and 5.5.x.
Comment 6 Konstantin Kolinko 2011-06-28 00:16:37 UTC 
Created attachment 27216 [details]
webapps/examples/WEB-INF/tags/helloWorld.tag

This change in TC7 - r1138950 - broke processing for tag files that have attributes containing '_' character. That is because name mangling in JspUtil.makeJavaIdentifier() is too intrusive for this use case.

An example is attached. To reproduce:
1. Save the file as webapps/examples/WEB-INF/tags/helloWorld.tag
2. Start Tomcat and navigate to
http://localhost:8080/examples/jsp/jsp2/tagfiles/hello.jsp

3. Expected: showing the page, Actual: error 500, because the tag fails to compile.
Comment 7 Mark Thomas 2011-07-13 14:05:12 UTC 
The regression with underscores has been fixed and updated patches proposed for 6.0.x and 5.5.x.
Comment 8 Mark Thomas 2011-08-11 08:56:31 UTC 
Fixed in 6.0.x and will be included in 6.0.33 onwards.
Comment 9 Mark Thomas 2011-08-12 08:13:26 UTC 
This has been fixed in 5.5.x and will be included in 5.5.34 onwards.