StringIndexOutOfBoundsException - Tomcat8.0.32
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Tomcat7 |
Fix Released
|
High
|
|||
tomcat8 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Karl Stenerud | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* There was a software bug in the 8.0.32 release of tomcat8, subsequently fixed in 8.0.33, with acessing past the end of a string.
[Test Case]
# lxc launch ubuntu:xenial tester && lxc exec tester bash
# apt update && apt dist-upgrade -y && apt install -y tomcat8 && mkdir -p /var/lib/
<html>
<head>
<title>
</head>
<body>
<%
Class.
%>
</body>
</html>
' >/var/lib/
# service tomcat8 restart
# curl localhost:
...
An exception occurred processing JSP page /test.jsp at line 8
5: </head>
6: <body>
7: <%
8: Class.forName(
9: %>
10: </body>
11: </html>
...
</pre><p><b>root cause</
...
[Regression Potential]
If the lengths are wrong in the patch, then this will filter out more than just the top level identifiers. Although tbh the chances of someone actually putting a partial identifier not the top level id is pretty low.
[Original Description]
---
Tomcat 8.0.32 has a known and corrected bug
https:/
which in some cases prevents a webapp from executing. I have encountered this error. The fix will be to place a later version of Tomcat8 into the Ubuntu 16.04 repository.
I encountered this error using:
-------
OpenVPMS 1.8.1 (veterinary practice management webapp)
MySQL 5.7.13
Open-jdk 1.8.0_91
Tomcat 8.0.32
mysql-connector
-------
The webapp in this case (OpenVPMS) runs under tomcat7 but not under this specific version of Tomcat (8.0.32). Instead, tomcat throws a 404-/openvpms error. The relevant portion of the tomcat log is:
Caused by: java.lang.
at java.lang.
at org.apache.
at org.apache.
at java.lang.
at java.lang.
at java.lang.
at java.lang.
Thank you.
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
-
Diff: 171 lines (+149/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-class-resource-name-filtering.patch (+141/-0)
debian/patches/series (+1/-0)
affects: | ubuntu → tomcat8 (Ubuntu) |
tags: |
added: xenial removed: tomcat8 |
Changed in tomcat8 (Ubuntu): | |
importance: | Undecided → Critical |
Changed in tomcat7: | |
importance: | Unknown → High |
status: | Unknown → Fix Released |
Changed in tomcat8 (Ubuntu Yakkety): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
tags: | added: bitesize |
description: | updated |
description: | updated |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
This appears to be caused by the recent change listed in the changelog as:
"Fix class loader decision on the delegation for class loading and resource lookup and make it faster too. (rjung)"
org.apache. catalina. loader. WebAppClassLoad erBase. filter( ) is testing if name starts with "javax" or "org", and then tries to get the next character using name.charAt(). But if name is just "javax" or "org", then name.charAt() for the next character will throw StringIndexOutO fBoundsExceptio n.
the following jsp demonstrates the issue:
<%@ page contentType= "text/html; charset= UTF-8" language="java" %> $Title$ </title> forName( "org");
<html>
<head>
<title>
</head>
<body>
<%
Class.
%>
</body>
</html>
Which results in rather than the expected ClassNotFoundEx ception, causes instead:
java.lang. StringIndexOutO fBoundsExceptio n: String index out of range: 3 String. charAt( String. java:658) catalina. loader. WebappClassLoad erBase. filter( WebappClassLoad erBase. java:2780) catalina. loader. WebappClassLoad erBase. loadClass( WebappClassLoad erBase. java:1253) catalina. loader. WebappClassLoad erBase. loadClass( WebappClassLoad erBase. java:1142) jasper. servlet. JasperLoader. loadClass( JasperLoader. java:125) jasper. servlet. JasperLoader. loadClass( JasperLoader. java:62) Class.forName0( Native Method) Class.forName( Class.java: 264) jsp.index_ jsp._jspService (index_ jsp.java: 116) jasper. runtime. HttpJspBase. service( HttpJspBase. java:70) servlet. http.HttpServle t.service( HttpServlet. java:729) jasper. servlet. JspServletWrapp er.service( JspServletWrapp er.java: 438) jasper. servlet. JspServlet. serviceJspFile( JspServlet. java:396) jasper. servlet. JspServlet. service( JspServlet. java:340) servlet. http.HttpServle t.service( HttpServlet. java:729) tomcat. websocket. server. WsFilter. doFilter( WsFilter. java:52)
java.lang.
org.apache.
org.apache.
org.apache.
org.apache.
org.apache.
java.lang.
java.lang.
org.apache.
org.apache.
javax.
org.apache.
org.apache.
org.apache.
javax.
org.apache.
While this example is contrived, it causes real world problems for Mozilla Rhino which is testing "java", "javax", "org", "com", "edu", "net", to make sure that they are indeed top-level packages and do not resolve to a class and can deal with the expected ClassNotFoundEx ception but can't deal with the unexpected StringIndexOutO fBoundsExceptio n.