[Bug 58999] New: StringIndexOutOfBoundsException WebAppClassLoaderBase.filter()

Thu, 11 Feb 2016 13:05:27 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=58999

            Bug ID: 58999
           Summary: StringIndexOutOfBoundsException
                    WebAppClassLoaderBase.filter()
           Product: Tomcat 8
           Version: 8.0.32
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: sve...@technologist.com

This appears to be caused by the recent change listed in the changelog as:

"Fix class loader decision on the delegation for class loading and resource
lookup and make it faster too. (rjung)"

org.apache.catalina.loader.WebAppClassLoaderBase.filter() is testing if name
starts with "javax" or "org", and then tries to get the next character using
name.charAt(). But if name is just "javax" or "org", then name.charAt() for the
next character will throw StringIndexOutOfBoundsException.

the following jsp demonstrates the issue:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>

Which results in rather than the expected ClassNotFoundException, causes
instead:

java.lang.StringIndexOutOfBoundsException: String index out of range: 3
    java.lang.String.charAt(String.java:658)
   
org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2780)
   
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1253)
   
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
    java.lang.Class.forName0(Native Method)
    java.lang.Class.forName(Class.java:264)
    org.apache.jsp.index_jsp._jspService(index_jsp.java:116)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
   
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

While this example is contrived, it causes real world problems for Mozilla
Rhino which is testing "java", "javax", "org", "com", "edu", "net", to make
sure that they are indeed top-level packages and do not resolve to a class and
can deal with the expected ClassNotFoundException but can't deal with the
unexpected StringIndexOutOfBoundsException.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to