Author: remm
Date: Fri May 20 15:51:07 2016
New Revision: 1744760
URL: http://svn.apache.org/viewvc?rev=1744760&view=rev
Log:
59608: A lot of URL based errors can occur while processing a JAR manifest
classpath, so consistently ignore and log as debug all of them.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1744760&r1=1744759&r2=1744760&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Fri
May 20 15:51:07 2016
@@ -20,7 +20,6 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
-import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.Arrays;
@@ -383,27 +382,27 @@ public class StandardJarScanner implemen
continue;
}
URL jarURL = jar.getJarFileURL();
- URI jarURI;
+ URL classPathEntryURL;
try {
- jarURI = jarURL.toURI();
- } catch (URISyntaxException e) {
+ URI jarURI = jarURL.toURI();
+ /*
+ * Note: Resolving the relative URLs from the manifest has
the
+ * potential to introduce security concerns.
However, since
+ * only JARs provided by the container and NOT those
provided
+ * by web applications are processed, there should
be no
+ * issues.
+ * If this feature is ever extended to include JARs
provided
+ * by web applications, checks should be added to
ensure that
+ * any relative URL does not step outside the web
application.
+ */
+ URI classPathEntryURI = jarURI.resolve(classPathEntry);
+ classPathEntryURL = classPathEntryURI.toURL();
+ } catch (Exception e) {
if (log.isDebugEnabled()) {
- log.debug(sm.getString("jarScan.invalidUri", jarURL));
+ log.debug(sm.getString("jarScan.invalidUri", jarURL),
e);
}
continue;
}
- /*
- * Note: Resolving the relative URLs from the manifest has the
- * potential to introduce security concerns. However,
since
- * only JARs provided by the container and NOT those
provided
- * by web applications are processed, there should be no
- * issues.
- * If this feature is ever extended to include JARs
provided
- * by web applications, checks should be added to ensure
that
- * any relative URL does not step outside the web
application.
- */
- URI classPathEntryURI = jarURI.resolve(classPathEntry);
- URL classPathEntryURL = classPathEntryURI.toURL();
classPathUrlsToProcess.add(classPathEntryURL);
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1744760&r1=1744759&r2=1744760&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May 20 15:51:07 2016
@@ -66,6 +66,11 @@
rather than known memory leaks. It had been disabled by default with no
increase in the reports of memory leaks for some time. (markt)
</scode>
+ <fix>
+ <bug>59608</bug>: Skip over any invalid <code>Class-Path</code>
attribute
+ from JAR manifests. Log errors at debug level due to many bad
libraries.
+ (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
