Launchpad has imported 15 comments from the remote bug at
https://bz.apache.org/bugzilla/show_bug.cgi?id=58999.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2016-02-11T21:05:03+00:00 Svella wrote:

This appears to be caused by the recent change listed in the changelog
as:

"Fix class loader decision on the delegation for class loading and
resource lookup and make it faster too. (rjung)"

org.apache.catalina.loader.WebAppClassLoaderBase.filter() is testing if
name starts with "javax" or "org", and then tries to get the next
character using name.charAt(). But if name is just "javax" or "org",
then name.charAt() for the next character will throw
StringIndexOutOfBoundsException.

the following jsp demonstrates the issue:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>

Which results in rather than the expected ClassNotFoundException, causes
instead:

java.lang.StringIndexOutOfBoundsException: String index out of range: 3
        java.lang.String.charAt(String.java:658)
        
org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2780)
        
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1253)
        
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
        org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
        org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
        java.lang.Class.forName0(Native Method)
        java.lang.Class.forName(Class.java:264)
        org.apache.jsp.index_jsp._jspService(index_jsp.java:116)
        org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

While this example is contrived, it causes real world problems for
Mozilla Rhino which is testing "java", "javax", "org", "com", "edu",
"net", to make sure that they are indeed top-level packages and do not
resolve to a class and can deal with the expected ClassNotFoundException
but can't deal with the unexpected StringIndexOutOfBoundsException.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/0

------------------------------------------------------------------------
On 2016-02-12T08:25:17+00:00 Violetagg wrote:

Created attachment 33549
patch

Hi,

I'm attaching here a patch proposal so that others can comment.

I found one more problem:

Packages 
org.apache.tomcat.jdbc 
javax.servlet.jsp.jstl 

should be permitted, but the current implementation allows only sub
packages for these packages.

Regards,
Violeta

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/1

------------------------------------------------------------------------
On 2016-02-12T15:34:09+00:00 Svella wrote:

Looked over the patch and I think the changes for org.apache.tomcat.jdbc 
javax.servlet.jsp.jstl will now incorrectly detect things like 
org.apache.tomcat.jdbcx and javax.servlet.jsp.jstly - Not very likely to happen 
in the wild I know, but I wouldn't have thought org and javax would have been 
very likely either.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/2

------------------------------------------------------------------------
On 2016-02-12T16:49:45+00:00 Violetagg wrote:

(In reply to Shon Vella from comment #2)
> Looked over the patch and I think the changes for org.apache.tomcat.jdbc 
> javax.servlet.jsp.jstl will now incorrectly detect things like
> org.apache.tomcat.jdbcx and javax.servlet.jsp.jstly - Not very likely to
> happen in the wild I know, but I wouldn't have thought org and javax would
> have been very likely either.

If you read again the code you will see that the check for these packages 
(org.apache.tomcat.jdbc, javax.servlet.jsp.jstl) is introduced in order to 
permit them not to deny them.
So if there are packages in the client code that are like those that you 
described above then they will be permitted.

Regards,
Violeta

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/3

------------------------------------------------------------------------
On 2016-02-12T20:48:20+00:00 Rainer Jung wrote:

Thanks to the OP for analysing the problem and to Violeta for the patch.

Please have a look at r1730101, which fixes the
StringIndexOutOfBoundsException.

The onyl problem I saw was the charAt(), because indeed the index could
have been to big. For the startsWith(), this can not happen, because the
given index is always equals to the known minimal length of the string
(one more than the last index of the string). Javadoc tells us this is
allowed, even an index bigger than the string length is allowed here:
"The result is false if toffset is negative or greater than the length
of this String object".

Concerning the filtering, when the name parameter is exactly equals to
one of the denied package names (package names to filter), IMHO it is OK
to permit them unless they are followed by a sub package, class or
resource name. I see no harm in permitting the package names without
anything after them.

If you agree, I'll backport.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/4

------------------------------------------------------------------------
On 2016-02-13T07:51:12+00:00 Violetagg wrote:

(In reply to Rainer Jung from comment #4)
> Thanks to the OP for analysing the problem and to Violeta for the patch.
> 
> Please have a look at r1730101, which fixes the
> StringIndexOutOfBoundsException.
> 
> The onyl problem I saw was the charAt(), because indeed the index could have
> been to big. For the startsWith(), this can not happen, because the given
> index is always equals to the known minimal length of the string (one more
> than the last index of the string). Javadoc tells us this is allowed, even
> an index bigger than the string length is allowed here: "The result is false
> if toffset is negative or greater than the length of this String object".
> 
> Concerning the filtering, when the name parameter is exactly equals to one
> of the denied package names (package names to filter), IMHO it is OK to
> permit them unless they are followed by a sub package, class or resource
> name. I see no harm in permitting the package names without anything after
> them.
> 
> If you agree, I'll backport.

Thanks,
Violeta

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/5

------------------------------------------------------------------------
On 2016-02-13T11:00:51+00:00 Rainer Jung wrote:

Backported to TC 8 in r1730178.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/6

------------------------------------------------------------------------
On 2016-02-13T11:02:02+00:00 Rainer Jung wrote:

The fix will be part of the next releases 9.0.0.M4 and 8.0.33.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/7

------------------------------------------------------------------------
On 2016-02-15T15:59:56+00:00 Sebastian-staack wrote:

I got the same exception if I use a script engine in a servlet. I
created a test case and attached it to the ticket. If you would like to
check if this corner case is also fixed run "mvn clean verify" in the
folder contained in the attached zip.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/8

------------------------------------------------------------------------
On 2016-02-15T16:01:51+00:00 Sebastian-staack wrote:

Created attachment 33559
Test case to reproduce the bug when using a script engine in a servlet

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/9

------------------------------------------------------------------------
On 2016-02-15T19:25:08+00:00 Rainer Jung wrote:

Your test case shows the same problem, trying to load a class named
"org". I added logging to the filter method to track what calls it gets.

I replaced the catalina.jar from 8.0.32 with one from the current
tc8.0.x HEAD, and the test case then succeeds. So the fix we have
already applied for the next release also fixes your test.

You can apply the following patch/fix on top of TC 8.0.32 if you like.

Regards,

Rainer

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/10

------------------------------------------------------------------------
On 2016-02-15T19:25:23+00:00 Rainer Jung wrote:

Oups, the following:

http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java?r1=1726672&r2=1730178&diff_format=h

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/11

------------------------------------------------------------------------
On 2016-02-16T16:13:47+00:00 Violetagg wrote:

*** Bug 59013 has been marked as a duplicate of this bug. ***

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/12

------------------------------------------------------------------------
On 2016-03-03T15:08:14+00:00 Violetagg wrote:

*** Bug 59110 has been marked as a duplicate of this bug. ***

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/13

------------------------------------------------------------------------
On 2016-04-06T18:40:03+00:00 Violetagg wrote:

*** Bug 59282 has been marked as a duplicate of this bug. ***

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1606331/comments/14


** Changed in: tomcat7
       Status: Unknown => Fix Released

** Changed in: tomcat7
   Importance: Unknown => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1606331

Title:
  StringIndexOutOfBoundsException - Tomcat8.0.32

To manage notifications about this bug go to:
https://bugs.launchpad.net/tomcat7/+bug/1606331/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to