Make the xmlBlockExternal option in Catalina and Jasper to be true by default.
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1562597 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
index b166513..a5df783 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -675,7 +675,7 @@
/**
* Attribute used to turn on/off the use of external entities.
*/
- private boolean xmlBlockExternal = Globals.IS_SECURITY_ENABLED;
+ private boolean xmlBlockExternal = true;
/**
diff --git a/java/org/apache/jasper/JspC.java b/java/org/apache/jasper/JspC.java
index 9b7b53d..44e078c 100644
--- a/java/org/apache/jasper/JspC.java
+++ b/java/org/apache/jasper/JspC.java
@@ -135,6 +135,7 @@
protected static final String SWITCH_DUMP_SMAP = "-dumpsmap";
protected static final String SWITCH_VALIDATE_TLD = "-validateTld";
protected static final String SWITCH_BLOCK_EXTERNAL = "-blockExternal";
+ protected static final String SWITCH_NO_BLOCK_EXTERNAL = "-no-blockExternal";
protected static final String SHOW_SUCCESS ="-s";
protected static final String LIST_ERRORS = "-l";
protected static final int INC_WEBXML = 10;
@@ -166,7 +167,7 @@
protected boolean trimSpaces = false;
protected boolean genStringAsCharArray = false;
protected boolean validateTld;
- protected boolean blockExternal;
+ protected boolean blockExternal = true;
protected boolean xpoweredBy;
protected boolean mappedFile = false;
protected boolean poolingEnabled = true;
@@ -377,6 +378,8 @@
setValidateTld(true);
} else if (tok.equals(SWITCH_BLOCK_EXTERNAL)) {
setBlockExternal(true);
+ } else if (tok.equals(SWITCH_NO_BLOCK_EXTERNAL)) {
+ setBlockExternal(false);
} else {
if (tok.startsWith("-")) {
throw new JasperException("Unrecognized option: " + tok +
@@ -1452,9 +1455,8 @@
if (isValidateTld()) {
context.setInitParameter(Constants.XML_VALIDATION_TLD_INIT_PARAM, "true");
}
- if (isBlockExternal()) {
- context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM, "true");
- }
+ context.setInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM,
+ String.valueOf(isBlockExternal()));
TldScanner scanner = new TldScanner(
context, true, isValidateTld(), isBlockExternal());
diff --git a/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java b/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
index 28e2894..edbb9a9 100644
--- a/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
+++ b/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
@@ -128,7 +128,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/java/org/apache/jasper/compiler/JspDocumentParser.java b/java/org/apache/jasper/compiler/JspDocumentParser.java
index fca5905..4b1134c 100644
--- a/java/org/apache/jasper/compiler/JspDocumentParser.java
+++ b/java/org/apache/jasper/compiler/JspDocumentParser.java
@@ -129,7 +129,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/java/org/apache/jasper/compiler/TagPluginManager.java b/java/org/apache/jasper/compiler/TagPluginManager.java
index 05e9b90..e6d6caf 100644
--- a/java/org/apache/jasper/compiler/TagPluginManager.java
+++ b/java/org/apache/jasper/compiler/TagPluginManager.java
@@ -66,7 +66,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/java/org/apache/jasper/compiler/TldCache.java b/java/org/apache/jasper/compiler/TldCache.java
index cfa0465..eb7cbcd 100644
--- a/java/org/apache/jasper/compiler/TldCache.java
+++ b/java/org/apache/jasper/compiler/TldCache.java
@@ -78,7 +78,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/java/org/apache/jasper/servlet/JasperInitializer.java b/java/org/apache/jasper/servlet/JasperInitializer.java
index 0a399cf..b87cbc5 100644
--- a/java/org/apache/jasper/servlet/JasperInitializer.java
+++ b/java/org/apache/jasper/servlet/JasperInitializer.java
@@ -84,7 +84,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/java/org/apache/jasper/servlet/JspCServletContext.java b/java/org/apache/jasper/servlet/JspCServletContext.java
index f99430a..fb30d65 100644
--- a/java/org/apache/jasper/servlet/JspCServletContext.java
+++ b/java/org/apache/jasper/servlet/JspCServletContext.java
@@ -136,7 +136,7 @@
Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
boolean blockExternal;
if (blockExternalString == null) {
- blockExternal = Constants.IS_SECURITY_ENABLED;
+ blockExternal = true;
} else {
blockExternal = Boolean.parseBoolean(blockExternalString);
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 24bbe88..a287e80 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -45,6 +45,14 @@
issues to not "pop up" wrt. others).
-->
<section name="Tomcat 8.0.1 (markt)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ Change default value of <code>xmlBlockExternal</code> attribute of
+ Context. It is <code>true</code> now. (kkolinko)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<fix>
@@ -53,6 +61,16 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Jasper">
+ <changelog>
+ <fix>
+ Change default value of the <code>blockExternal</code> attribute of
+ JspC task. The default value is <code>true</code>. Add support for
+ <code>-no-blockExternal</code> switch when JspC is run as a
+ standalone application. (kkolinko)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="WebSocket">
<changelog>
<fix>
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index 795a465..e8067a5 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -538,9 +538,8 @@
<code>web.xml</code>, <code>web-fragment.xml</code>, <code>*.tld</code>,
<code>*.jspx</code>, <code>*.tagx</code> and <code>tagPlugins.xml</code>
files for this web application will not permit external entities to be
- loaded. If a <code>SecurityManager</code> is configured then the default
- value of this attribute will be <code>true</code>, else the default
- value will be <code>false</code>.</p>
+ loaded. If not specified, the default value of <code>true</code> will
+ be used.</p>
</attribute>
<attribute name="xmlNamespaceAware" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index e7180ab..2e43307 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -179,9 +179,6 @@
<ul>
<li>The default value for the <strong>deployXML</strong> attribute of the
<strong>Host</strong> element is changed to <code>false</code>.</li>
- <li>The default value for the <strong>xmlBlockExternal</strong> attribute
- of the <strong>Context</strong> element is changed to <code>true</code>.
- </li>
</ul>
</section>