geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "xiezhi (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (GERONIMO-6534) A potential coding flaw makes scan jar fail without any error or exception
Date Wed, 24 Dec 2014 08:05:13 GMT

     [ https://issues.apache.org/jira/browse/GERONIMO-6534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

xiezhi updated GERONIMO-6534:
-----------------------------
    Description: 
The method ScanJar and ScanJars are from GeronimoTldLocationsCache.java. I think it has not
been well thought over. The error or exception which raised in scanning entry files should
not be past. I actually met a problem when failed to get uri from a tld file because of some
validation reason. There is no exception or any other error message. It took a lot of time
to find the root cause in debug model.
I think it is not a good practice to ignore the exceptions here.

    /**
     * Scans the given JarURLConnection for TLD files located in META-INF
     * (or a subdirectory of it), adding an implicit map entry to the taglib
     * map for any TLD that has a <uri> element.
     *
     * @param conn The JarURLConnection to the JAR file to scan
     * @param ignore true if any exceptions raised when processing the given
     * JAR should be ignored, false otherwise
     */
    private void scanJar(JarURLConnection conn, boolean ignore)
                throws JasperException {

        JarFile jarFile = null;
        String resourcePath = conn.getJarFileURL().toString();
        try {
            if (redeployMode) {
                conn.setUseCaches(false);
            }
            jarFile = conn.getJarFile();
            Enumeration entries = jarFile.entries();
            while (entries.hasMoreElements()) {
                JarEntry entry = (JarEntry) entries.nextElement();
                String name = entry.getName();
                if (!name.startsWith("META-INF/")) continue;
                if (!name.endsWith(".tld")) continue;
                InputStream stream = jarFile.getInputStream(entry);
                try {
                    String uri = getUriFromTld(resourcePath, stream);
                    // Add implicit map entry only if its uri is not already
                    // present in the map
                    if (uri != null && mappings.get(uri) == null) {
                        mappings.put(uri, new String[]{ resourcePath, name });
                    }
                } finally {
                    if (stream != null) {
                        try {
                            stream.close();
                        } catch (Throwable t) {
                            // do nothing
                        }
                    }
                }
            }
        } catch (Exception ex) {
            if (!redeployMode) {
                // if not in redeploy mode, close the jar in case of an error
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (Throwable t) {
                        // ignore
                    }
                }
            }
            if (!ignore) {
                throw new JasperException(ex);
            }
        } finally {
            if (redeployMode) {
                // if in redeploy mode, always close the jar
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (Throwable t) {
                        // ignore
                    }
                }
            }
        }
    }
	
------------------------------------------------------------------------------------------

	    /*
     * Scans all JARs accessible to the webapp's classloader and its
     * parent classloaders for TLDs.
     * 
     * The list of JARs always includes the JARs under WEB-INF/lib, as well as
     * all shared JARs in the classloader delegation chain of the webapp's
     * classloader.
     *
     * Considering JARs in the classloader delegation chain constitutes a
     * Tomcat-specific extension to the TLD search
     * order defined in the JSP spec. It allows tag libraries packaged as JAR
     * files to be shared by web applications by simply dropping them in a 
     * location that all web applications have access to (e.g.,
     * <CATALINA_HOME>/common/lib).
     *
     * The set of shared JARs to be scanned for TLDs is narrowed down by
     * the <tt>noTldJars</tt> class variable, which contains the names of JARs
     * that are known not to contain any TLDs.
     */
    private void scanJars() throws Exception {

        ClassLoader webappLoader
            = Thread.currentThread().getContextClassLoader();
        ClassLoader loader = webappLoader;

        while (loader != null) {
            if (loader instanceof URLClassLoader) {
                URL[] urls = ((URLClassLoader) loader).getURLs();
                for (int i=0; i<urls.length; i++) {
                    URLConnection conn = urls[i].openConnection();
                    if (conn instanceof JarURLConnection) {
                        if (needScanJar(loader, webappLoader,
                                        ((JarURLConnection) conn).getJarFile().getName()))
{
                            scanJar((JarURLConnection) conn, true);
                        }
                    } else {
                        String urlStr = urls[i].toString();
                        if (urlStr.startsWith(FILE_PROTOCOL)
                                && urlStr.endsWith(JAR_FILE_SUFFIX)
                                && needScanJar(loader, webappLoader, urlStr)) {
                            URL jarURL = new URL("jar:" + urlStr + "!/");
                            scanJar((JarURLConnection) jarURL.openConnection(),
                                    true);
                        }
                    }
                }
            }

            loader = loader.getParent();
        }
    }

  was:
The method ScanJar and ScanJars are from GeronimoTldLocationsCache.java. I think it has not
been well thought out. The error or exception which raised in scanning entry files should
not be past. I actually met a problem when failed to get uri from a tld file because of some
validation reason. There is no exception or any other error message. It took a lot of time
to find the root cause in debug model.
I think it is not a good practice to ignore the exceptions here.

    /**
     * Scans the given JarURLConnection for TLD files located in META-INF
     * (or a subdirectory of it), adding an implicit map entry to the taglib
     * map for any TLD that has a <uri> element.
     *
     * @param conn The JarURLConnection to the JAR file to scan
     * @param ignore true if any exceptions raised when processing the given
     * JAR should be ignored, false otherwise
     */
    private void scanJar(JarURLConnection conn, boolean ignore)
                throws JasperException {

        JarFile jarFile = null;
        String resourcePath = conn.getJarFileURL().toString();
        try {
            if (redeployMode) {
                conn.setUseCaches(false);
            }
            jarFile = conn.getJarFile();
            Enumeration entries = jarFile.entries();
            while (entries.hasMoreElements()) {
                JarEntry entry = (JarEntry) entries.nextElement();
                String name = entry.getName();
                if (!name.startsWith("META-INF/")) continue;
                if (!name.endsWith(".tld")) continue;
                InputStream stream = jarFile.getInputStream(entry);
                try {
                    String uri = getUriFromTld(resourcePath, stream);
                    // Add implicit map entry only if its uri is not already
                    // present in the map
                    if (uri != null && mappings.get(uri) == null) {
                        mappings.put(uri, new String[]{ resourcePath, name });
                    }
                } finally {
                    if (stream != null) {
                        try {
                            stream.close();
                        } catch (Throwable t) {
                            // do nothing
                        }
                    }
                }
            }
        } catch (Exception ex) {
            if (!redeployMode) {
                // if not in redeploy mode, close the jar in case of an error
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (Throwable t) {
                        // ignore
                    }
                }
            }
            if (!ignore) {
                throw new JasperException(ex);
            }
        } finally {
            if (redeployMode) {
                // if in redeploy mode, always close the jar
                if (jarFile != null) {
                    try {
                        jarFile.close();
                    } catch (Throwable t) {
                        // ignore
                    }
                }
            }
        }
    }
	
------------------------------------------------------------------------------------------

	    /*
     * Scans all JARs accessible to the webapp's classloader and its
     * parent classloaders for TLDs.
     * 
     * The list of JARs always includes the JARs under WEB-INF/lib, as well as
     * all shared JARs in the classloader delegation chain of the webapp's
     * classloader.
     *
     * Considering JARs in the classloader delegation chain constitutes a
     * Tomcat-specific extension to the TLD search
     * order defined in the JSP spec. It allows tag libraries packaged as JAR
     * files to be shared by web applications by simply dropping them in a 
     * location that all web applications have access to (e.g.,
     * <CATALINA_HOME>/common/lib).
     *
     * The set of shared JARs to be scanned for TLDs is narrowed down by
     * the <tt>noTldJars</tt> class variable, which contains the names of JARs
     * that are known not to contain any TLDs.
     */
    private void scanJars() throws Exception {

        ClassLoader webappLoader
            = Thread.currentThread().getContextClassLoader();
        ClassLoader loader = webappLoader;

        while (loader != null) {
            if (loader instanceof URLClassLoader) {
                URL[] urls = ((URLClassLoader) loader).getURLs();
                for (int i=0; i<urls.length; i++) {
                    URLConnection conn = urls[i].openConnection();
                    if (conn instanceof JarURLConnection) {
                        if (needScanJar(loader, webappLoader,
                                        ((JarURLConnection) conn).getJarFile().getName()))
{
                            scanJar((JarURLConnection) conn, true);
                        }
                    } else {
                        String urlStr = urls[i].toString();
                        if (urlStr.startsWith(FILE_PROTOCOL)
                                && urlStr.endsWith(JAR_FILE_SUFFIX)
                                && needScanJar(loader, webappLoader, urlStr)) {
                            URL jarURL = new URL("jar:" + urlStr + "!/");
                            scanJar((JarURLConnection) jarURL.openConnection(),
                                    true);
                        }
                    }
                }
            }

            loader = loader.getParent();
        }
    }


> A potential coding flaw makes scan jar fail without any error or exception
> --------------------------------------------------------------------------
>
>                 Key: GERONIMO-6534
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6534
>             Project: Geronimo
>          Issue Type: Improvement
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 2.1.8, 2.2.1
>            Reporter: xiezhi
>            Priority: Minor
>         Attachments: GERONIMO-6534.patch
>
>
> The method ScanJar and ScanJars are from GeronimoTldLocationsCache.java. I think it has
not been well thought over. The error or exception which raised in scanning entry files should
not be past. I actually met a problem when failed to get uri from a tld file because of some
validation reason. There is no exception or any other error message. It took a lot of time
to find the root cause in debug model.
> I think it is not a good practice to ignore the exceptions here.
>     /**
>      * Scans the given JarURLConnection for TLD files located in META-INF
>      * (or a subdirectory of it), adding an implicit map entry to the taglib
>      * map for any TLD that has a <uri> element.
>      *
>      * @param conn The JarURLConnection to the JAR file to scan
>      * @param ignore true if any exceptions raised when processing the given
>      * JAR should be ignored, false otherwise
>      */
>     private void scanJar(JarURLConnection conn, boolean ignore)
>                 throws JasperException {
>         JarFile jarFile = null;
>         String resourcePath = conn.getJarFileURL().toString();
>         try {
>             if (redeployMode) {
>                 conn.setUseCaches(false);
>             }
>             jarFile = conn.getJarFile();
>             Enumeration entries = jarFile.entries();
>             while (entries.hasMoreElements()) {
>                 JarEntry entry = (JarEntry) entries.nextElement();
>                 String name = entry.getName();
>                 if (!name.startsWith("META-INF/")) continue;
>                 if (!name.endsWith(".tld")) continue;
>                 InputStream stream = jarFile.getInputStream(entry);
>                 try {
>                     String uri = getUriFromTld(resourcePath, stream);
>                     // Add implicit map entry only if its uri is not already
>                     // present in the map
>                     if (uri != null && mappings.get(uri) == null) {
>                         mappings.put(uri, new String[]{ resourcePath, name });
>                     }
>                 } finally {
>                     if (stream != null) {
>                         try {
>                             stream.close();
>                         } catch (Throwable t) {
>                             // do nothing
>                         }
>                     }
>                 }
>             }
>         } catch (Exception ex) {
>             if (!redeployMode) {
>                 // if not in redeploy mode, close the jar in case of an error
>                 if (jarFile != null) {
>                     try {
>                         jarFile.close();
>                     } catch (Throwable t) {
>                         // ignore
>                     }
>                 }
>             }
>             if (!ignore) {
>                 throw new JasperException(ex);
>             }
>         } finally {
>             if (redeployMode) {
>                 // if in redeploy mode, always close the jar
>                 if (jarFile != null) {
>                     try {
>                         jarFile.close();
>                     } catch (Throwable t) {
>                         // ignore
>                     }
>                 }
>             }
>         }
>     }
> 	
> ------------------------------------------------------------------------------------------

> 	    /*
>      * Scans all JARs accessible to the webapp's classloader and its
>      * parent classloaders for TLDs.
>      * 
>      * The list of JARs always includes the JARs under WEB-INF/lib, as well as
>      * all shared JARs in the classloader delegation chain of the webapp's
>      * classloader.
>      *
>      * Considering JARs in the classloader delegation chain constitutes a
>      * Tomcat-specific extension to the TLD search
>      * order defined in the JSP spec. It allows tag libraries packaged as JAR
>      * files to be shared by web applications by simply dropping them in a 
>      * location that all web applications have access to (e.g.,
>      * <CATALINA_HOME>/common/lib).
>      *
>      * The set of shared JARs to be scanned for TLDs is narrowed down by
>      * the <tt>noTldJars</tt> class variable, which contains the names of
JARs
>      * that are known not to contain any TLDs.
>      */
>     private void scanJars() throws Exception {
>         ClassLoader webappLoader
>             = Thread.currentThread().getContextClassLoader();
>         ClassLoader loader = webappLoader;
>         while (loader != null) {
>             if (loader instanceof URLClassLoader) {
>                 URL[] urls = ((URLClassLoader) loader).getURLs();
>                 for (int i=0; i<urls.length; i++) {
>                     URLConnection conn = urls[i].openConnection();
>                     if (conn instanceof JarURLConnection) {
>                         if (needScanJar(loader, webappLoader,
>                                         ((JarURLConnection) conn).getJarFile().getName()))
{
>                             scanJar((JarURLConnection) conn, true);
>                         }
>                     } else {
>                         String urlStr = urls[i].toString();
>                         if (urlStr.startsWith(FILE_PROTOCOL)
>                                 && urlStr.endsWith(JAR_FILE_SUFFIX)
>                                 && needScanJar(loader, webappLoader, urlStr))
{
>                             URL jarURL = new URL("jar:" + urlStr + "!/");
>                             scanJar((JarURLConnection) jarURL.openConnection(),
>                                     true);
>                         }
>                     }
>                 }
>             }
>             loader = loader.getParent();
>         }
>     }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message