JSTL TransformSupport XSL import not finding relative path after apply EAP 6.4 CP6 : MalformedURLException: unknown protocol: jstl

Solution Unverified - Updated 2 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP) 6.4 CP6

Issue

After applying Cumulative Patch 6 to EAP 6.4, our jstl transform is not finding relative paths in our XSL import

test.jsp:

<c:import var="xslStylesheet" url="/xsl/ident/style.xsl" charEncoding="UTF-8" />
<c:import url="http://localhost:8080/test/test.xml" var="doc"/>
<x:transform xml="${doc}" xslt="${xslStylesheet}" xsltSystemId="/xsl/">
</x:transform>

style3.xsl

<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                version="1.0">

    <xsl:import href="parent.xsl"/>
...

We are seeing this error:

ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/test2].[jsp]] (http-127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.net.MalformedURLException: unknown protocol: jstl
	at java.net.URL.<init>(URL.java:592) [rt.jar:1.7.0_51]
	at java.net.URL.<init>(URL.java:482) [rt.jar:1.7.0_51]
	at java.net.URL.<init>(URL.java:431) [rt.jar:1.7.0_51]
	at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:959)
	at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:143)
	at org.apache.xerces.parsers.XML11Configuration.parse(XML11Configuration.java:802)
	at org.apache.xerces.parsers.XML11Configuration.parse(XML11Configuration.java:768)
	at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:108)
	at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1196)
	at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:555)
	at org.apache.xalan.processor.ProcessorInclude.parse(ProcessorInclude.java:312)
	at org.apache.xalan.processor.ProcessorInclude.startElement(ProcessorInclude.java:158)
	at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:626)
	at org.apache.xerces.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:496)
	at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:180)
	at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:275)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(XMLDocumentFragmentScannerImpl.java:1653)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:324)
	at org.apache.xerces.parsers.XML11Configuration.parse(XML11Configuration.java:845)
	at org.apache.xerces.parsers.XML11Configuration.parse(XML11Configuration.java:768)
	at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:108)
	at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1196)
	at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:555)
	at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:926)
	at org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:780)
	at __redirected.__TransformerFactory.newTransformer(__TransformerFactory.java:132) [jboss-modules.jar:1.3.7.Final-redhat-1]
	at org.apache.taglibs.standard.util.XmlUtil.newTransformer(XmlUtil.java:195) [jboss-jstl-api_1.2_spec-1.0.9.Final-redhat-1.jar:1.0.9.Final]
	at org.apache.taglibs.standard.tag.common.xml.TransformSupport.doStartTag(TransformSupport.java:124) [jboss-jstl-api_1.2_spec-1.0.9.Final-redhat-1.jar:1.0.9.Final]
	at org.apache.jsp.test3_jsp._jspx_meth_x_005ftransform_005f0(test3_jsp.java:230)
	at org.apache.jsp.test3_jsp._jspService(test3_jsp.java:91)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.7.Final-redhat-2.jar:7.5.7.Final-redhat-2]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.15.Final-redhat-1.jar:7.5.15.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]

Resolution

Apply JBoss EAP 6.4 Cumulative Patch (CP) 8

Root Cause

The CVE-2015-0254 security fix caused BZ-1320747

This content is not included.BZ-1320747: JSTL TransformSupport XSL import not finding relative path
CVE-2015-0254 - Java Standard Tag Library (JSTL) allows processing of untrusted XML documents

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.