Ubuntu
tomcat8 package

  1. Xenial (16.04)
  2. Bug #1606331
  3. Comment #2

Comment 2 for bug 1606331

Revision history for this message
In , Svella (svella) wrote :

This appears to be caused by the recent change listed in the changelog as:

"Fix class loader decision on the delegation for class loading and resource lookup and make it faster too. (rjung)"

org.apache.catalina.loader.WebAppClassLoaderBase.filter() is testing if name starts with "javax" or "org", and then tries to get the next character using name.charAt(). But if name is just "javax" or "org", then name.charAt() for the next character will throw StringIndexOutOfBoundsException.

the following jsp demonstrates the issue:

<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
    <title>$Title$</title>
</head>
<body>
<%
    Class.forName("org");
%>
</body>
</html>

Which results in rather than the expected ClassNotFoundException, causes instead:

java.lang.StringIndexOutOfBoundsException: String index out of range: 3
 java.lang.String.charAt(String.java:658)
 org.apache.catalina.loader.WebappClassLoaderBase.filter(WebappClassLoaderBase.java:2780)
 org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1253)
 org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
 org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:125)
 org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:62)
 java.lang.Class.forName0(Native Method)
 java.lang.Class.forName(Class.java:264)
 org.apache.jsp.index_jsp._jspService(index_jsp.java:116)
 org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
 org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
 org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:396)
 org.apache.jasper.servlet.JspServlet.service(JspServlet.java:340)
 javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
 org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

While this example is contrived, it causes real world problems for Mozilla Rhino which is testing "java", "javax", "org", "com", "edu", "net", to make sure that they are indeed top-level packages and do not resolve to a class and can deal with the expected ClassNotFoundException but can't deal with the unexpected StringIndexOutOfBoundsException.