You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by kitagawa <ki...@gmail.com> on 2012/01/16 03:11:00 UTC
POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Hi, I'm new to this but please direct me if I'm posting to the wrong list.
While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
into a problem after setting the character encoding filter for
requests.
When posting a request, the value of any field with only a single
character submitted is cleared.
I also tested this issue with:
tomcat 6.0.32 and java 1.5 (no problem)
tomcat 6.0.35 and java 1.5 (same error occured)
tomcat 6.0.33 and java 1.6 (no problem)
tomcat 6.0.35 and java 1.6 (no problem)
This can be repeated using the RequestParamExample that comes with tomcat.
1. uncomment the "Set Character Encoding" line in
apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
93)
2. start tomcat
3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
and enter a single character into the first or last name fields then
post.
The entered value does not show up. Instead, the value shows up blank.
If I enter two characters they appear correctly.
I searched online for a solution but only came up with the following
from tomcat bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=51773
Does anyone know a solution to this problem?
thank you
--
Naoki Kitagawa
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/2/2 Mark Thomas <ma...@apache.org>:
> On 02/02/2012 11:25, Konstantin Kolinko wrote:
>> cc: dev
>>
>> 2012/1/23 kitagawa <ki...@gmail.com>:
>>>>
>>>> While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
>>>> into a problem after setting the character encoding filter for
>>>> requests.
>>>> When posting a request, the value of any field with only a single
>>>> character submitted is cleared.
>>>>
>>>> I also tested this issue with:
>>>> tomcat 6.0.32 and java 1.5 (no problem)
>>>> tomcat 6.0.35 and java 1.5 (same error occured)
>>>> tomcat 6.0.33 and java 1.6 (no problem)
>>>> tomcat 6.0.35 and java 1.6 (no problem)
>>>>
>>>>
>>>> This can be repeated using the RequestParamExample that comes with tomcat.
>>>>
>>>> 1. uncomment the "Set Character Encoding" line in
>>>> apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
>>>> 93)
>>>> 2. start tomcat
>>>> 3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
>>>> and enter a single character into the first or last name fields then
>>>> post.
>>>>
>>>> The entered value does not show up. Instead, the value shows up blank.
>>>> If I enter two characters they appear correctly.
>>>>
>>
>>>
>>> I researched it some more and found a bug in Java 1.5 in
>>> java.nio.charset.Charset.decode() that might be the cause.
>>> A ticket was submitted regarding a similar problem to sun in 2004
>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6196991
>>> (patched in Java 1.6)
>>>
>>> Tomcat 6.0.33 r1140904 the
>>> /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java
>>> class was changed to use java.nio.charset.Charset.decode().
>>> This is probably why there was no problem before in version 6.0.32.
>>>
>>
>> FYI: The same issue reported against 5.5.35:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=52579
>>
>> Thank you for your research. I think you are right. Though I am not
>> sure how much this can be fixed in Tomcat now.
>>
>> 1. r1140904 [1] in 6.0.33 is a fix for issue 51400.
>> Reverting it will reintroduce the issue.
>>
>> 2. The recent code that uses Charset in 5.5.35 and 6.0.35 is part of
>> fix for CVE-2012-0022 [2]
>> So a different implementation might be needed.
>>
>> [1] http://svn.apache.org/viewvc?view=revision&revision=1140904
>> [2] http://tomcat.apache.org/security.html
>>
>> The good news are that it does not affect UTF-8, so using that
>> encoding may be a workaround.
>
> This only affects those using Java 5. It is resolved in the latest Java
> 6. Anyone using Java 5 will be in one of two positions:
and Java 1.4 as my test in BZ 52579 shows
> a) unsupported therefore they should upgrade to the latest Java 6 where
> this is fixed
>
> b) supported by Oracle in which case they can raise a bug with Oracle.
>
> Either way, I am leaning towards WONTFIX.
>
I also lean to WONTFIX.
Maybe this also should be mentioned on security pages,
because blindly applying the CVE-2012-0022 patches listed there to
older versions of 5.5 and 6.0 will introduce the issue.
Trivial note: Tomcat 7 is unaffected, because it requires minimum of Java 6.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33
and Character Encoding Filter
Posted by Mark Thomas <ma...@apache.org>.
On 02/02/2012 11:25, Konstantin Kolinko wrote:
> cc: dev
>
> 2012/1/23 kitagawa <ki...@gmail.com>:
>>>
>>> While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
>>> into a problem after setting the character encoding filter for
>>> requests.
>>> When posting a request, the value of any field with only a single
>>> character submitted is cleared.
>>>
>>> I also tested this issue with:
>>> tomcat 6.0.32 and java 1.5 (no problem)
>>> tomcat 6.0.35 and java 1.5 (same error occured)
>>> tomcat 6.0.33 and java 1.6 (no problem)
>>> tomcat 6.0.35 and java 1.6 (no problem)
>>>
>>>
>>> This can be repeated using the RequestParamExample that comes with tomcat.
>>>
>>> 1. uncomment the "Set Character Encoding" line in
>>> apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
>>> 93)
>>> 2. start tomcat
>>> 3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
>>> and enter a single character into the first or last name fields then
>>> post.
>>>
>>> The entered value does not show up. Instead, the value shows up blank.
>>> If I enter two characters they appear correctly.
>>>
>
>>
>> I researched it some more and found a bug in Java 1.5 in
>> java.nio.charset.Charset.decode() that might be the cause.
>> A ticket was submitted regarding a similar problem to sun in 2004
>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6196991
>> (patched in Java 1.6)
>>
>> Tomcat 6.0.33 r1140904 the
>> /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java
>> class was changed to use java.nio.charset.Charset.decode().
>> This is probably why there was no problem before in version 6.0.32.
>>
>
> FYI: The same issue reported against 5.5.35:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=52579
>
> Thank you for your research. I think you are right. Though I am not
> sure how much this can be fixed in Tomcat now.
>
> 1. r1140904 [1] in 6.0.33 is a fix for issue 51400.
> Reverting it will reintroduce the issue.
>
> 2. The recent code that uses Charset in 5.5.35 and 6.0.35 is part of
> fix for CVE-2012-0022 [2]
> So a different implementation might be needed.
>
> [1] http://svn.apache.org/viewvc?view=revision&revision=1140904
> [2] http://tomcat.apache.org/security.html
>
> The good news are that it does not affect UTF-8, so using that
> encoding may be a workaround.
This only affects those using Java 5. It is resolved in the latest Java
6. Anyone using Java 5 will be in one of two positions:
a) unsupported therefore they should upgrade to the latest Java 6 where
this is fixed
b) supported by Oracle in which case they can raise a bug with Oracle.
Either way, I am leaning towards WONTFIX.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by kitagawa <ki...@gmail.com>.
> FYI: The same issue reported against 5.5.35:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=52579
>
> Thank you for your research. I think you are right. Though I am not
> sure how much this can be fixed in Tomcat now.
Thank you for your responses.
We were able to find the reason for the problem.
It would be great if the bug can be patched from the Tomcat side, but
until that time I will try something to solve the problem.
Thank you for your help,
--
Naoki Kitagawa
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by Konstantin Kolinko <kn...@gmail.com>.
cc: dev
2012/1/23 kitagawa <ki...@gmail.com>:
>>
>> While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
>> into a problem after setting the character encoding filter for
>> requests.
>> When posting a request, the value of any field with only a single
>> character submitted is cleared.
>>
>> I also tested this issue with:
>> tomcat 6.0.32 and java 1.5 (no problem)
>> tomcat 6.0.35 and java 1.5 (same error occured)
>> tomcat 6.0.33 and java 1.6 (no problem)
>> tomcat 6.0.35 and java 1.6 (no problem)
>>
>>
>> This can be repeated using the RequestParamExample that comes with tomcat.
>>
>> 1. uncomment the "Set Character Encoding" line in
>> apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
>> 93)
>> 2. start tomcat
>> 3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
>> and enter a single character into the first or last name fields then
>> post.
>>
>> The entered value does not show up. Instead, the value shows up blank.
>> If I enter two characters they appear correctly.
>>
>
> I researched it some more and found a bug in Java 1.5 in
> java.nio.charset.Charset.decode() that might be the cause.
> A ticket was submitted regarding a similar problem to sun in 2004
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6196991
> (patched in Java 1.6)
>
> Tomcat 6.0.33 r1140904 the
> /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java
> class was changed to use java.nio.charset.Charset.decode().
> This is probably why there was no problem before in version 6.0.32.
>
FYI: The same issue reported against 5.5.35:
https://issues.apache.org/bugzilla/show_bug.cgi?id=52579
Thank you for your research. I think you are right. Though I am not
sure how much this can be fixed in Tomcat now.
1. r1140904 [1] in 6.0.33 is a fix for issue 51400.
Reverting it will reintroduce the issue.
2. The recent code that uses Charset in 5.5.35 and 6.0.35 is part of
fix for CVE-2012-0022 [2]
So a different implementation might be needed.
[1] http://svn.apache.org/viewvc?view=revision&revision=1140904
[2] http://tomcat.apache.org/security.html
The good news are that it does not affect UTF-8, so using that
encoding may be a workaround.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by Konstantin Kolinko <kn...@gmail.com>.
cc: dev
2012/1/23 kitagawa <ki...@gmail.com>:
>>
>> While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
>> into a problem after setting the character encoding filter for
>> requests.
>> When posting a request, the value of any field with only a single
>> character submitted is cleared.
>>
>> I also tested this issue with:
>> tomcat 6.0.32 and java 1.5 (no problem)
>> tomcat 6.0.35 and java 1.5 (same error occured)
>> tomcat 6.0.33 and java 1.6 (no problem)
>> tomcat 6.0.35 and java 1.6 (no problem)
>>
>>
>> This can be repeated using the RequestParamExample that comes with tomcat.
>>
>> 1. uncomment the "Set Character Encoding" line in
>> apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
>> 93)
>> 2. start tomcat
>> 3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
>> and enter a single character into the first or last name fields then
>> post.
>>
>> The entered value does not show up. Instead, the value shows up blank.
>> If I enter two characters they appear correctly.
>>
>
> I researched it some more and found a bug in Java 1.5 in
> java.nio.charset.Charset.decode() that might be the cause.
> A ticket was submitted regarding a similar problem to sun in 2004
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6196991
> (patched in Java 1.6)
>
> Tomcat 6.0.33 r1140904 the
> /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java
> class was changed to use java.nio.charset.Charset.decode().
> This is probably why there was no problem before in version 6.0.32.
>
FYI: The same issue reported against 5.5.35:
https://issues.apache.org/bugzilla/show_bug.cgi?id=52579
Thank you for your research. I think you are right. Though I am not
sure how much this can be fixed in Tomcat now.
1. r1140904 [1] in 6.0.33 is a fix for issue 51400.
Reverting it will reintroduce the issue.
2. The recent code that uses Charset in 5.5.35 and 6.0.35 is part of
fix for CVE-2012-0022 [2]
So a different implementation might be needed.
[1] http://svn.apache.org/viewvc?view=revision&revision=1140904
[2] http://tomcat.apache.org/security.html
The good news are that it does not affect UTF-8, so using that
encoding may be a workaround.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by kitagawa <ki...@gmail.com>.
Thank you for your response
I read the FAQ and wasn't able to find a solution to the problem.
I researched it some more and found a bug in Java 1.5 in
java.nio.charset.Charset.decode() that might be the cause.
A ticket was submitted regarding a similar problem to sun in 2004
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6196991
(patched in Java 1.6)
Tomcat 6.0.33 r1140904 the
/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/buf/ByteChunk.java
class was changed to use java.nio.charset.Charset.decode().
This is probably why there was no problem before in version 6.0.32.
Best regards,
--
Naoki Kitagawa
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: POST data (single character) cleared when using tomcat 6.0.33 and
Character Encoding Filter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/1/16 kitagawa <ki...@gmail.com>:
> Hi, I'm new to this but please direct me if I'm posting to the wrong list.
>
> While developing using ubuntu 11.04, tomcat 6.0.33 and java 1.5 I ran
> into a problem after setting the character encoding filter for
> requests.
> When posting a request, the value of any field with only a single
> character submitted is cleared.
>
> I also tested this issue with:
> tomcat 6.0.32 and java 1.5 (no problem)
> tomcat 6.0.35 and java 1.5 (same error occured)
> tomcat 6.0.33 and java 1.6 (no problem)
> tomcat 6.0.35 and java 1.6 (no problem)
>
>
> This can be repeated using the RequestParamExample that comes with tomcat.
>
> 1. uncomment the "Set Character Encoding" line in
> apache-tomcat-6.0.33\webapps\examples\WEB-INF\web.xml (lines 88 and
> 93)
> 2. start tomcat
> 3. go to http://localhost:8080/examples/servlets/servlet/RequestParamExample
> and enter a single character into the first or last name fields then
> post.
>
> The entered value does not show up. Instead, the value shows up blank.
> If I enter two characters they appear correctly.
>
> I searched online for a solution but only came up with the following
> from tomcat bugzilla
> https://issues.apache.org/bugzilla/show_bug.cgi?id=51773
>
> Does anyone know a solution to this problem?
It is in the FAQ:
http://wiki.apache.org/tomcat/FAQ/CharacterEncoding
In short: enabling the filter makes Tomcat expect that the data (sent
by web browser) use certain character encoding.
But the web browser does not know that you configured the filter. See
FAQ for how to do it properly.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org