[Bug 69665] New: getRequestURI() mutates MessageBytes state

Wed, 30 Apr 2025 02:54:12 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69665

            Bug ID: 69665
           Summary: getRequestURI() mutates MessageBytes state
           Product: Tomcat 9
           Version: 9.0.86
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: msiu...@atlassian.com
  Target Milestone: -----

Hello,
In version 9.0.86 a change to getRequestURI() method was introduced
https://github.com/apache/tomcat/blob/9.0.86/java/org/apache/catalina/connector/Request.java#L2384,
which adds toStringType() call, instead of previous toString()
https://github.com/apache/tomcat/compare/9.0.85...9.0.86#diff-9c26b293a31c898f3153e5575a98f8f9b767f55d31b4e3f5d9dd8e047004d3b0R2384.
This new version can mutate the state of MessageBytes object, via the called
setString() method of the same class. The 'getter' method having a hidden side
effect can result in an unexpected behavior in high-concurrency application. 
In CoyoteAdapter postParseRequest() method
https://github.com/apache/tomcat/blob/9.0.86/java/org/apache/catalina/connector/CoyoteAdapter.java#L623
checks if MessageBytes object type is T_BYTES, however this state can be
modified in the background by the getRequestURI() call (e.g. from a different
JVM thread), which will change the type to T_STR, failing the check and result
in unexpected outcome. In our case, it resulted in seemingly "random" 404 from
the StandardHostValve due to empty context -
https://github.com/apache/tomcat/blob/9.0.86/java/org/apache/catalina/core/StandardHostValve.java#L99.
 
In general, the issue is nearly exactly the same as a bug in 9.0.71, when
opentelemetry agent call modified the MessageBytes state causing the 404 -
https://www.mail-archive.com/users@tomcat.apache.org/msg141165.html, but in
this case the trigger point is a call to getRequestURI() "in the right moment"
to override the T_BYTES to T_STR. 

Possible fix would be to make getRequestURI() not having any side effects
again, e.g. by brining toString() call back or a alternative method without the
toStringType(). The problem is present in release 9.0.86 onwards. It was
introduced as a minor performance fix for
https://bz.apache.org/bugzilla/show_bug.cgi?id=68558

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to