Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2
-
Component/s: dependencies
-
Security Level: public (Regular issues)
-
Labels:None
Description
Need to upgrade to Tomcat 6.0.18 to pickup the latest security fixes, as listed on the following Tomcat webpage - http://tomcat.apache.org/security-6.html
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Trunk (2.2-SNAPSHOT) upgraded to Tomcat 6.0.18 with r686143 and r686146.
Trunk (2.2), branches/2.1 (2.1.3-SNAPSHOT) and branches/2.0 (2.0.3-SNAPSHOT) have all been upgraded.
I've run into several JSP files in our build (mainly the monitor webapp) that require code changes to work with Tomcat 6.0.18, due to tightened code around the JSP 2.0 spec in Jasper during the Tomcat 6.0.17 release.
The build errors look something like -
org.apache.jasper.JasperException: file:/Users/drwoods/geronimo/server-trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp(168,168) Attribute value rs.getString("server_id") is quoted with " which must be escaped when used within the value
at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40)
There are several places in the portlet code where we have -
value="<%=rs.getString("server_id")%>"
which had to be changed to
value='<%=rs.getString("server_id")%>'
The full text of the Tomcat Jasper change can be found at -
https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
with the basic explanation being -
According to JSP 2.0 specification (chapter 1.7 page 72,73)
This code is illegal:
<mytags:tag value="<%= "hi!" %>" />
Instead the correct sentence would be:
<mytags:tag value='<%= "hi!" %>' />
<mytags:tag value="<%= \"hi!\" %>" />
<mytags:tag value='<%= \"name\" %>' />
...