https://bz.apache.org/bugzilla/show_bug.cgi?id=66488
Bug ID: 66488
Summary: MessageBytes#toBytesSimple overwrites request byte
buffer
Product: Tomcat 9
Version: 9.0.71
Hardware: Macintosh
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: n4zr...@gmail.com
Target Milestone: -----
In 9.0.71 the code for MessageBytes#toBytes was changed to call the newly
introduced MessageBytes#toSimpleBytes method which incorrectly assumes that
byteC.getBuffer's retured array is a copy of the original request string unique
to that specific MessageByte/ByteChunk, which is not the case. Every instance
of MessageByte created early in the request processing gets passed a reference
to the same byte array (which is documented in java.nio.ByteBuffer#array).
An easy fix for this is changing
byte[] bytes = byteC.getBuffer();
in toBytesSimple to
byte[] bytes = new byte[len];
as well as changing
byteC.setEnd(len);
in toBytesSimple to
byteC.setBytes(bytes, 0, len).
I'm not sure though if it is intended that every MessageByte's ByteChunk share
the same buffer.
The result of the bug is that a Servlet's request.getQueryString() gets
overwritten by part of the Authorization header due to the call of
authorization.toBytes() in BasicAuthenticator#doAuthenticate.
I can provide a simple example if necessary although due to some concurrency
issues or whatever it only happens if I add a breakpoint before
authorization.toBytes in BasicAuthenticator.
We stumbled upon the problem because it always occurs in our production
application which I can't share for obvious reasons.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
