Ubuntu
tomcat8 package

StringIndexOutOfBoundsException - Tomcat8.0.32

Bug #1606331 reported by Samuel Longiaru
54
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Tomcat7
Fix Released
High
tomcat8 (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
High
Karl Stenerud
Yakkety
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * There was a software bug in the 8.0.32 release of tomcat8, subsequently fixed in 8.0.33, with acessing past the end of a string.

[Test Case]

# lxc launch ubuntu:xenial tester && lxc exec tester bash
# apt update && apt dist-upgrade -y && apt install -y tomcat8 && mkdir -p /var/lib/tomcat8/webapps/test && echo '<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>
' >/var/lib/tomcat8/webapps/test/test.jsp
# service tomcat8 restart
# curl localhost:8080/test/test.jsp
...
 An exception occurred processing JSP page /test.jsp at line 8
5: &lt;/head&gt;
6: &lt;body&gt;
7: &lt;%
8: Class.forName(&quot;org&quot;);
9: %&gt;
10: &lt;/body&gt;
11: &lt;/html&gt;
...
</pre><p><b>root cause</b></p><pre>java.lang.StringIndexOutOfBoundsException: String index out of range: 3
...

[Regression Potential]

If the lengths are wrong in the patch, then this will filter out more than just the top level identifiers. Although tbh the chances of someone actually putting a partial identifier not the top level id is pretty low.

[Original Description]

---

Tomcat 8.0.32 has a known and corrected bug

https://bz.apache.org/bugzilla/show_bug.cgi?id=58999

which in some cases prevents a webapp from executing. I have encountered this error. The fix will be to place a later version of Tomcat8 into the Ubuntu 16.04 repository.

I encountered this error using:

----------------------------

OpenVPMS 1.8.1 (veterinary practice management webapp)
MySQL 5.7.13
Open-jdk 1.8.0_91
Tomcat 8.0.32
mysql-connector-java-5.1.39

----------------------------

The webapp in this case (OpenVPMS) runs under tomcat7 but not under this specific version of Tomcat (8.0.32). Instead, tomcat throws a 404-/openvpms error. The relevant portion of the tomcat log is:

Caused by: java.lang.StringIndexOutOfBoundsException: String index out of range: 3
 at java.lang.String.charAt(String.java:658)
 at org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2780)
 at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1253)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:348)

Thank you.

See original description

Related branches

~kstenerud/ubuntu/+source/tomcat8:xenial-tomcat-resource-names-1606331
Andreas Hasenack: Approve
Canonical Server: Pending requested
Diff: 171 lines (+149/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-class-resource-name-filtering.patch (+141/-0)
debian/patches/series (+1/-0)
Revision history for this message
In , Svella (svella) wrote :

This appears to be caused by the recent change listed in the changelog as:

"Fix class loader decision on the delegation for class loading and resource lookup and make it faster too. (rjung)"

org.apache.catalina.loader.WebAppClassLoaderBase.filter() is testing if name starts with "javax" or "org", and then tries to get the next character using name.charAt(). But if name is just "javax" or "org", then name.charAt() for the next character will throw StringIndexOutOfBoundsException.

the following jsp demonstrates the issue:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>

Which results in rather than the expected ClassNotFoundException, causes instead:

java.lang.StringIndexOutOfBoundsException: String index out of range: 3
 java.lang.String.charAt(String.java:658)
 org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2780)
 org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1253)
 org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
 org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
 org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
 java.lang.Class.forName0(Native Method)
 java.lang.Class.forName(Class.java:264)
 org.apache.jsp.index_jsp._jspService(index_jsp.java:116)
 org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
 org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
 org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
 org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

While this example is contrived, it causes real world problems for Mozilla Rhino which is testing "java", "javax", "org", "com", "edu", "net", to make sure that they are indeed top-level packages and do not resolve to a class and can deal with the expected ClassNotFoundException but can't deal with the unexpected StringIndexOutOfBoundsException.

Revision history for this message
In , Violetagg (violetagg) wrote :

Created attachment 33549
patch

Hi,

I'm attaching here a patch proposal so that others can comment.

I found one more problem:

Packages
org.apache.tomcat.jdbc
javax.servlet.jsp.jstl

should be permitted, but the current implementation allows only sub packages for these packages.

Regards,
Violeta

Revision history for this message
In , Svella (svella) wrote :

Looked over the patch and I think the changes for org.apache.tomcat.jdbc
javax.servlet.jsp.jstl will now incorrectly detect things like org.apache.tomcat.jdbcx and javax.servlet.jsp.jstly - Not very likely to happen in the wild I know, but I wouldn't have thought org and javax would have been very likely either.

Revision history for this message
In , Violetagg (violetagg) wrote :

(In reply to Shon Vella from comment #2)
> Looked over the patch and I think the changes for org.apache.tomcat.jdbc
> javax.servlet.jsp.jstl will now incorrectly detect things like
> org.apache.tomcat.jdbcx and javax.servlet.jsp.jstly - Not very likely to
> happen in the wild I know, but I wouldn't have thought org and javax would
> have been very likely either.

If you read again the code you will see that the check for these packages (org.apache.tomcat.jdbc, javax.servlet.jsp.jstl) is introduced in order to permit them not to deny them.
So if there are packages in the client code that are like those that you described above then they will be permitted.

Regards,
Violeta

Revision history for this message
In , Rainer Jung (rainer-jung-kippdata) wrote :

Thanks to the OP for analysing the problem and to Violeta for the patch.

Please have a look at r1730101, which fixes the StringIndexOutOfBoundsException.

The onyl problem I saw was the charAt(), because indeed the index could have been to big. For the startsWith(), this can not happen, because the given index is always equals to the known minimal length of the string (one more than the last index of the string). Javadoc tells us this is allowed, even an index bigger than the string length is allowed here: "The result is false if toffset is negative or greater than the length of this String object".

Concerning the filtering, when the name parameter is exactly equals to one of the denied package names (package names to filter), IMHO it is OK to permit them unless they are followed by a sub package, class or resource name. I see no harm in permitting the package names without anything after them.

If you agree, I'll backport.

Revision history for this message
In , Violetagg (violetagg) wrote :

(In reply to Rainer Jung from comment #4)
> Thanks to the OP for analysing the problem and to Violeta for the patch.
>
> Please have a look at r1730101, which fixes the
> StringIndexOutOfBoundsException.
>
> The onyl problem I saw was the charAt(), because indeed the index could have
> been to big. For the startsWith(), this can not happen, because the given
> index is always equals to the known minimal length of the string (one more
> than the last index of the string). Javadoc tells us this is allowed, even
> an index bigger than the string length is allowed here: "The result is false
> if toffset is negative or greater than the length of this String object".
>
> Concerning the filtering, when the name parameter is exactly equals to one
> of the denied package names (package names to filter), IMHO it is OK to
> permit them unless they are followed by a sub package, class or resource
> name. I see no harm in permitting the package names without anything after
> them.
>
> If you agree, I'll backport.

Thanks,
Violeta

Revision history for this message
In , Rainer Jung (rainer-jung-kippdata) wrote :

Backported to TC 8 in r1730178.

Revision history for this message
In , Rainer Jung (rainer-jung-kippdata) wrote :

The fix will be part of the next releases 9.0.0.M4 and 8.0.33.

Revision history for this message
In , Sebastian-staack (sebastian-staack) wrote :

I got the same exception if I use a script engine in a servlet. I created a test case and attached it to the ticket. If you would like to check if this corner case is also fixed run "mvn clean verify" in the folder contained in the attached zip.

Revision history for this message
In , Sebastian-staack (sebastian-staack) wrote :

Created attachment 33559
Test case to reproduce the bug when using a script engine in a servlet

Revision history for this message
In , Rainer Jung (rainer-jung-kippdata) wrote :

Your test case shows the same problem, trying to load a class named "org". I added logging to the filter method to track what calls it gets.

I replaced the catalina.jar from 8.0.32 with one from the current tc8.0.x HEAD, and the test case then succeeds. So the fix we have already applied for the next release also fixes your test.

You can apply the following patch/fix on top of TC 8.0.32 if you like.

Regards,

Rainer

Revision history for this message
In , Rainer Jung (rainer-jung-kippdata) wrote :

Oups, the following:

http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java?r1=1726672&r2=1730178&diff_format=h

Revision history for this message
In , Violetagg (violetagg) wrote :

*** Bug 59013 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Violetagg (violetagg) wrote :

*** Bug 59110 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Violetagg (violetagg) wrote :

*** Bug 59282 has been marked as a duplicate of this bug. ***

Hans Joachim Desserud (hjd)
affects: ubuntu → tomcat8 (Ubuntu)
tags: added: xenial
removed: tomcat8
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tomcat8 (Ubuntu):
status: New → Confirmed
Alberto Salvia Novella (es20490446e)
Changed in tomcat8 (Ubuntu):
importance: Undecided → Critical
Bug Watch Updater (bug-watch-updater)
Changed in tomcat7:
importance: Unknown → High
status: Unknown → Fix Released
Revision history for this message
Hendrik Brummermann (nhnb) wrote :

Is there any hope to get this fix of Tomcat 8.0.32 into Ubuntu 16.04?

This issue affects all Tomcat based web-applications that make use of server side JavaScript, such as the German university management system HISinOne.

Revision history for this message
Robie Basak (racb) wrote :

I don't think this qualifies as Critical under the definition at https://wiki.ubuntu.com/Bugs/Importance.

Changed in tomcat8 (Ubuntu):
importance: Critical → High
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

If someone can prepare a backport, please follow the steps at https://wiki.ubuntu.com/StableReleaseUpdates#Procedure to have 16.04 updated.

All the steps documented there need to be followed. In particular, I'm concerned that we:

1) Explain the bug well enough so the SRU team (who are probably not familiar with this package) can understand the real user impact in terms of use case so they can make a decision as to whether backporting the fix to stable releases justifies the regression risk to existing, unaffected users.

2) Make sure that the fixing this in a stable Ubuntu release does not regress existing users of the module not affected by this bug.

3) Have a test case that can be followed by someone not familiar with the package for SRU verification purposes.

Revision history for this message
Nish Aravamudan (nacc) wrote :

Zesty and Yakkety both have > 8.0.33 where the bug is fixed. Only Xenial needs the backport now.

Changed in tomcat8 (Ubuntu):
status: Confirmed → Fix Released
Changed in tomcat8 (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Changed in tomcat8 (Ubuntu):
importance: High → Undecided
Changed in tomcat8 (Ubuntu Xenial):
assignee: nobody → Nish Aravamudan (nacc)
status: Triaged → In Progress
Nish Aravamudan (nacc)
Changed in tomcat8 (Ubuntu Yakkety):
status: New → Fix Released
Revision history for this message
Nish Aravamudan (nacc) wrote :

Please test tomcat8 https://launchpad.net/~nacc/+archive/ubuntu/tomcat8v2 8.0.32-1ubuntu1.3~ppa1.

Nish Aravamudan (nacc)
description: updated
description: updated
Revision history for this message
Samuel Longiaru (longiaru) wrote :

After adding ppa and updating, OpenVPMS webapp now runs as expected. Thanks!

Revision history for this message
Conrad Kostecki (conikost) wrote :

I also confirm. Using tomcat8 from ppa works and solves our problem.

Revision history for this message
Nish Aravamudan (nacc) wrote :

Thank you to Samuel and Conrad! Can you, as a favor to me, test the (now-building) tomcat8 - 8.0.32-1ubuntu1.3~ppa2 from the same PPA to verify no regression in your use-cases? It includes an additional bugfix from 8.0.33 for LP: #1593854.

Revision history for this message
Samuel Longiaru (longiaru) wrote :

Nish,

I have just tried the ~ppa2 version with good success. I had trouble forcing the upgrade to ~ppa2 so wound up purging tomcat8 and reinstalling. I have confirmed the use of ~ppa2 with apt-show-versions | grep 'tomcat8'. All are showing ~ppa2.

Thank you for your help!

Revision history for this message
Jeremy (nzlamb) wrote :

This patch also fixed a minor rendering issue with Xwiki (refer http://jira.xwiki.org/browse/XWIKI-13970).

Can we please have it released to the main repositories soon?

Revision history for this message
Conrad Kostecki (conikost) wrote :

Any news on getting this into the main repositories?

Revision history for this message
Samuel Longiaru (longiaru) wrote :

Too bad that the tested patch for this high importance bug did not make it into the Jan 23, 2017 Tomcat8 update for 14.04 LTS. Any idea when the next one is coming out that may include this bug fix?

Revision history for this message
sw (sw-ubuntu) wrote :

Any update on a fix for Xenial? This issue prevents some functionality (e.g. the code macro) on my xwiki installation. Unfortunately xwiki isn't running properly after an upgrade to Bionic Beaver so I'm stuck with this problem currently.

Alternatively - Is there any way to upgrade tomcat8 via ppa to a current tomcat8 version with the fix? Currently I run the latest Version 8.0.32-1ubuntu1.7 and I don't find a way to resolve it. (Manual install is no option -> security fixes etc.)

Robie Basak (racb)
tags: added: bitesize
Revision history for this message
Karl Stenerud (kstenerud) wrote :

This appears to be already fixed on xenial.

Here is the old repro case, which no longer triggers a bug:

# lxc launch ubuntu:xenial tester && lxc exec tester bash
# apt update && apt dist-upgrade -y && apt install -y tomcat8
# mkdir /var/lib/tomcat8/webapps/test && echo "<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>
" >/var/lib/tomcat8/webapps/test/test.jsp
# curl localhost:8080/test/test.jsp
...
 An exception occurred processing JSP page /test.jsp at line 8
5: &lt;/head&gt;
6: &lt;body&gt;
7: &lt;%
8: Class.forName(&quot;org&quot;);
9: %&gt;
10: &lt;/body&gt;
11: &lt;/html&gt;
...
</pre><p><b>root cause</b></p><pre>java.lang.StringIndexOutOfBoundsException: String index out of range: 3
...

Please test to make sure this fixes it for you as well on xenial.

Revision history for this message
sw (sw-ubuntu) wrote : Re: [Bug 1606331] Re: StringIndexOutOfBoundsException - Tomcat8.0.32

Hello,

Unfortunately still the same problem.

I just upgraded xwiki (to latest 10.6) and installed all xenial updates.

Still the same error mentioned here (“String index out of range: 3”):

https://forum.xwiki.org/t/code-macro-requirements/909/23

The workaround mentioned there (ppa) is also not working anymore.

Am 20.11.2018 um 15:17 schrieb Karl Stenerud:
> Please test to make sure this fixes it for you as well on xenial.

Karl Stenerud (kstenerud)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded to xenial-proposed, waiting for SRU team approval.

Changed in tomcat8 (Ubuntu Xenial):
assignee: Nish Aravamudan (nacc) → Karl Stenerud (kstenerud)
Revision history for this message
Robie Basak (racb) wrote :

Thank you for the upload! A couple of points:

Why doesn't the cherry-pick here include the upstream test for this bug, that was in the upstream commit?

Regression Potential should discuss "how regressions are most likely to manifest, or may manifest even if it is unlikely, as a result of this change". This is to inform how the SRU will be verified to ensure that the areas of most likely regression are tested. See https://wiki.ubuntu.com/StableReleaseUpdates#Procedure for details, and please update the Regression Potential section.

Karl Stenerud (kstenerud)
description: updated
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Samuel, or anyone else affected,

Accepted tomcat8 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in tomcat8 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Karl Stenerud (kstenerud) wrote :

Correct behavior verified as follows:

    lxc launch ubuntu-daily:xenial tester && lxc exec tester bash
    apt update && apt dist-upgrade -y && apt install -y tomcat8 && mkdir -p /var/lib/tomcat8/webapps/test && echo '<%@ page contentType="text/html;charset=UTF-8" language="java" %>
    <html>
    <head>
        <title>$Title$</title>
    </head>
    <body>
    <%
        Class.forName("org");
    %>
    </body>
    </html>
    ' >/var/lib/tomcat8/webapps/test/test.jsp &&
    service tomcat8 restart &&
    curl localhost:8080/test/test.jsp

This results in the following erroneous jsp exception:

java.lang.StringIndexOutOfBoundsException: String index out of range: 3
    java.lang.String.charAt(String.java:658)
    org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2802)
    org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1254)
    org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1143)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
    java.lang.Class.forName0(Native Method)
    java.lang.Class.forName(Class.java:264)
    org.apache.jsp.test_jsp._jspService(test_jsp.java:116)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:401)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:345)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

Upgrade to the version in proposed and re-run the test:

    echo "deb http://archive.ubuntu.com/ubuntu xenial-proposed main restricted" >>/etc/apt/sources.list &&
    apt update &&
    apt dist-upgrade -y &&
    curl localhost:8080/test/test.jsp

This results in a jsp exception with a proper root cause:

java.lang.ClassNotFoundException: org
    org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1309)
    org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1143)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
    org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
    java.lang.Class.forName0(Native Method)
    java.lang.Class.forName(Class.java:264)
    org.apache.jsp.test_jsp._jspService(test_jsp.java:116)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:401)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:345)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

Karl Stenerud (kstenerud)
tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat8 - 8.0.32-1ubuntu1.9

---------------
tomcat8 (8.0.32-1ubuntu1.9) xenial; urgency=medium

  * d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
    filtering in WebappClassLoader (LP: #1606331).

 -- Karl Stenerud <email address hidden> Mon, 10 Dec 2018 15:08:07 +0100

Changed in tomcat8 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for tomcat8 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.