This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 6a57175ef0 Fix bug in class loader resource lookup by name with
external resources
6a57175ef0 is described below
commit 6a57175ef02d59e48107ede8229008d959affeff
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Feb 17 13:53:07 2025 +0000
Fix bug in class loader resource lookup by name with external resources
When looking up class loader resources by resource name, the resource
name should not start with '/'. If the resource name does start with
'/', Tomcat is lenient and looks it up as if the '/' was not present.
When the web application class loader was configured with external
repositories and names starting with '/' were used for lookups, it was
possible that cached 'not found' results could effectively hide lookup
results using the correct resource name.
---
.../catalina/loader/WebappClassLoaderBase.java | 8 ++++--
.../catalina/loader/TestWebappClassLoader.java | 30 ++++++++++++++++++++++
webapps/docs/changelog.xml | 13 ++++++++++
3 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 1218a1c2f8..0905c9572c 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -769,7 +769,8 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
url = super.findResource(name);
}
- if (url == null) {
+ // Skip caching results for invalid names (it might mask lookups
for valid ones)
+ if (url == null && name.charAt(0) != '/') {
notFoundClassResources.add(path);
}
}
@@ -1015,7 +1016,10 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
return stream;
}
- notFoundClassResources.add(path);
+ // Skip caching results for invalid names (it might mask lookups
for valid ones)
+ if (name.charAt(0) != '/') {
+ notFoundClassResources.add(path);
+ }
}
// (3) Delegate to parent unconditionally
diff --git a/test/org/apache/catalina/loader/TestWebappClassLoader.java
b/test/org/apache/catalina/loader/TestWebappClassLoader.java
index 11b53ab7e3..38daf81d63 100644
--- a/test/org/apache/catalina/loader/TestWebappClassLoader.java
+++ b/test/org/apache/catalina/loader/TestWebappClassLoader.java
@@ -24,6 +24,7 @@ import java.net.URLClassLoader;
import org.junit.Assert;
import org.junit.Test;
+import org.apache.catalina.Context;
import org.apache.catalina.core.StandardContext;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
@@ -172,4 +173,33 @@ public class TestWebappClassLoader extends TomcatBaseTest {
}
}
}
+
+
+ /*
+ * See https://github.com/apache/tomcat/pull/816 for details.
+ */
+ @Test
+ public void testResourceName() throws Exception {
+
+ Tomcat tomcat = getTomcatInstance();
+ getProgrammaticRootContext();
+ tomcat.start();
+
+ // Add an external resource to the web application
+ WebappClassLoaderBase cl =
+ (WebappClassLoaderBase) ((Context)
tomcat.getHost().findChildren()[0]).getLoader().getClassLoader();
+ File f = new File("test/conf");
+ cl.addURL(f.toURI().toURL());
+
+ /*
+ * External resources are loaded using URLClassLoader code so leading
'/' characters are not permitted in
+ * resource names.
+ */
+ URL u1 = cl.getResource("/jaspic-test-01.xml");
+ Assert.assertNull(u1);
+
+ // Should now be visible if the correct name is used.
+ URL u2 = cl.getResource("jaspic-test-01.xml");
+ Assert.assertNotNull(u2);
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c8d9627e8e..c4a39bb95c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,19 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 11.0.5 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ When looking up class loader resources by resource name, the resource
+ name should not start with '/'. If the resource name does start with
+ '/', Tomcat is lenient and looks it up as if the '/' was not present.
+ When the web application class loader was configured with external
+ repositories and names starting with '/' were used for lookups, it was
+ possible that cached 'not found' results could effectively hide lookup
+ results using the correct resource name. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
