You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2016/05/20 15:51:07 UTC
svn commit: r1744760 - in /tomcat/trunk:
java/org/apache/tomcat/util/scan/StandardJarScanner.java
webapps/docs/changelog.xml
Author: remm
Date: Fri May 20 15:51:07 2016
New Revision: 1744760
URL: http://svn.apache.org/viewvc?rev=1744760&view=rev
Log:
59608: A lot of URL based errors can occur while processing a JAR manifest classpath, so consistently ignore and log as debug all of them.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1744760&r1=1744759&r2=1744760&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Fri May 20 15:51:07 2016
@@ -20,7 +20,6 @@ import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
-import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLClassLoader;
import java.util.Arrays;
@@ -383,27 +382,27 @@ public class StandardJarScanner implemen
continue;
}
URL jarURL = jar.getJarFileURL();
- URI jarURI;
+ URL classPathEntryURL;
try {
- jarURI = jarURL.toURI();
- } catch (URISyntaxException e) {
+ URI jarURI = jarURL.toURI();
+ /*
+ * Note: Resolving the relative URLs from the manifest has the
+ * potential to introduce security concerns. However, since
+ * only JARs provided by the container and NOT those provided
+ * by web applications are processed, there should be no
+ * issues.
+ * If this feature is ever extended to include JARs provided
+ * by web applications, checks should be added to ensure that
+ * any relative URL does not step outside the web application.
+ */
+ URI classPathEntryURI = jarURI.resolve(classPathEntry);
+ classPathEntryURL = classPathEntryURI.toURL();
+ } catch (Exception e) {
if (log.isDebugEnabled()) {
- log.debug(sm.getString("jarScan.invalidUri", jarURL));
+ log.debug(sm.getString("jarScan.invalidUri", jarURL), e);
}
continue;
}
- /*
- * Note: Resolving the relative URLs from the manifest has the
- * potential to introduce security concerns. However, since
- * only JARs provided by the container and NOT those provided
- * by web applications are processed, there should be no
- * issues.
- * If this feature is ever extended to include JARs provided
- * by web applications, checks should be added to ensure that
- * any relative URL does not step outside the web application.
- */
- URI classPathEntryURI = jarURI.resolve(classPathEntry);
- URL classPathEntryURL = classPathEntryURI.toURL();
classPathUrlsToProcess.add(classPathEntryURL);
}
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1744760&r1=1744759&r2=1744760&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May 20 15:51:07 2016
@@ -66,6 +66,11 @@
rather than known memory leaks. It had been disabled by default with no
increase in the reports of memory leaks for some time. (markt)
</scode>
+ <fix>
+ <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute
+ from JAR manifests. Log errors at debug level due to many bad libraries.
+ (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org