(tomcat) branch 10.1.x updated: Fix bug in class loader resource lookup by name with external resources

markt Mon, 17 Feb 2025 06:37:32 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new 194874ff95 Fix bug in class loader resource lookup by name with 
external resources
194874ff95 is described below

commit 194874ff9536e465d45724d9a9d5b3c988fc266e
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Feb 17 13:53:07 2025 +0000

    Fix bug in class loader resource lookup by name with external resources
    
    When looking up class loader resources by resource name, the resource
    name should not start with '/'. If the resource name does start with
    '/', Tomcat is lenient and looks it up as if the '/' was not present.
    When the web application class loader was configured with external
    repositories and names starting with '/' were used for lookups, it was
    possible that cached 'not found' results could effectively hide lookup
    results using the correct resource name.
---
 .../catalina/loader/WebappClassLoaderBase.java     |  8 ++++--
 .../catalina/loader/TestWebappClassLoader.java     | 30 ++++++++++++++++++++++
 webapps/docs/changelog.xml                         | 13 ++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java 
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index ebb005127c..fa8ae72289 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -899,7 +899,8 @@ public abstract class WebappClassLoaderBase extends 
URLClassLoader
                 url = super.findResource(name);
             }
 
-            if (url == null) {
+            // Skip caching results for invalid names (it might mask lookups 
for valid ones)
+            if (url == null && name.charAt(0) != '/') {
                 notFoundClassResources.add(path);
             }
         }
@@ -1145,7 +1146,10 @@ public abstract class WebappClassLoaderBase extends 
URLClassLoader
                 return stream;
             }
 
-            notFoundClassResources.add(path);
+            // Skip caching results for invalid names (it might mask lookups 
for valid ones)
+            if (name.charAt(0) != '/') {
+                notFoundClassResources.add(path);
+            }
         }
 
         // (3) Delegate to parent unconditionally
diff --git a/test/org/apache/catalina/loader/TestWebappClassLoader.java 
b/test/org/apache/catalina/loader/TestWebappClassLoader.java
index 11b53ab7e3..38daf81d63 100644
--- a/test/org/apache/catalina/loader/TestWebappClassLoader.java
+++ b/test/org/apache/catalina/loader/TestWebappClassLoader.java
@@ -24,6 +24,7 @@ import java.net.URLClassLoader;
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.apache.catalina.Context;
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
@@ -172,4 +173,33 @@ public class TestWebappClassLoader extends TomcatBaseTest {
             }
         }
     }
+
+
+    /*
+     * See https://github.com/apache/tomcat/pull/816 for details.
+     */
+    @Test
+    public void testResourceName() throws Exception {
+
+        Tomcat tomcat = getTomcatInstance();
+        getProgrammaticRootContext();
+        tomcat.start();
+
+        // Add an external resource to the web application
+        WebappClassLoaderBase cl =
+                (WebappClassLoaderBase) ((Context) 
tomcat.getHost().findChildren()[0]).getLoader().getClassLoader();
+        File f = new File("test/conf");
+        cl.addURL(f.toURI().toURL());
+
+        /*
+         * External resources are loaded using URLClassLoader code so leading 
'/' characters are not permitted in
+         * resource names.
+         */
+        URL u1 = cl.getResource("/jaspic-test-01.xml");
+        Assert.assertNull(u1);
+
+        // Should now be visible if the correct name is used.
+        URL u2 = cl.getResource("jaspic-test-01.xml");
+        Assert.assertNotNull(u2);
+    }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 405fa4a467..95ef8c1277 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,19 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 10.1.37 (schultz)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        When looking up class loader resources by resource name, the resource
+        name should not start with '/'. If the resource name does start with
+        '/', Tomcat is lenient and looks it up as if the '/' was not present.
+        When the web application class loader was configured with external
+        repositories and names starting with '/' were used for lookups, it was
+        possible that cached 'not found' results could effectively hide lookup
+        results using the correct resource name. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <add>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 10.1.x updated: Fix bug in class loader resource lookup by name with external resources

Reply via email to