You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/29 19:49:56 UTC
DO NOT REPLY [Bug 15795] -
Request with mailformed URL causes NullPointerException
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15795>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15795
Request with mailformed URL causes NullPointerException
------- Additional Comments From bolandb@attbi.com 2003-03-29 18:49 -------
I received this on 4.1.24 as well.
The problems comes from the fact that getRelativePath() called in serveResource
() returns null (as it should) to indicate that the path is not valid since it
attempts to go outside the "boundaries of the current context" as documented
inthe normalize() method. But the return value is not examined and an or an
exceptional course taken before it is passed to the constructor of the
ResourceInfo.
Since these "invalid" URL paths are sourced from viruses or hackers, I would
think tomcat should respond by logging these and not by throwing a
NullPointerException.
Here's my log with some additional debugging turned on:
2003-03-29 08:39:01 StandardHost[localhost]: Mapping request
URI '/scripts/../../winnt/system32/cmd.exe'
2003-03-29 08:39:01 StandardHost[localhost]: Trying the longest context path
prefix
2003-03-29 08:39:01 StandardHost[localhost]: Mapped to context ''
2003-03-29 08:39:01 default: DefaultServlet.serveResource: Serving
resource 'null' headers and data
2003-03-29 08:39:01 StandardWrapperValve[default]: Servlet.service() for
servlet default threw exception
java.lang.NullPointerException
at java.io.File.<init>(File.java:258)
at org.apache.naming.resources.FileDirContext.file
(FileDirContext.java:880)
at org.apache.naming.resources.FileDirContext.getAttributes
(FileDirContext.java:487)
at org.apache.naming.resources.BaseDirContext.getAttributes
(BaseDirContext.java:797)
at org.apache.naming.resources.ProxyDirContext.cacheLoad
(ProxyDirContext.java:1491)
at org.apache.naming.resources.ProxyDirContext.cacheLookup
(ProxyDirContext.java:1412)
at org.apache.naming.resources.ProxyDirContext.lookup
(ProxyDirContext.java:300)
at org.apache.catalina.servlets.DefaultServlet$ResourceInfo.set
(DefaultServlet.java:2267)
at org.apache.catalina.servlets.DefaultServlet$ResourceInfo.<init>
(DefaultServlet.java:2219)
at org.apache.catalina.servlets.DefaultServlet.serveResource
(DefaultServlet.java:921)
at org.apache.catalina.servlets.DefaultServlet.doGet
(DefaultServlet.java:506)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:995)
at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke
(StandardContext.java:2415)
at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke
(ErrorDispatcherValve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNe
xt(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service
(CoyoteAdapter.java:223)
at org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:594)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnecti
on(Http11Protocol.java:392)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt
(PoolTcpEndpoint.java:565)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:479)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org