tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: High CPU usage with Utf8Decoder in 8.5.23
Date Mon, 09 Apr 2018 13:20:06 GMT
Mark,

On 4/8/18 6:39 PM, Mark Thomas wrote:
> On 08/04/2018 21:29, Christopher Schultz wrote:
> 
> <snip/>
> 
>> Does Tomcat do its own UTF-8 decoding because the JVM doesn't have a
>> facility to convert from ByteBuffer to CharBuffer? That seems like
>> something the JVM really should be providing...
> 
> No. It does it because the JRE UTF-8 decoder is buggy. Some bugs were
> fixed in Java 8 and the rest in Java 9 so we need this decoder until
> Java 9 is the minimum.

Gotcha. Are there any known remaining bugs in the Java 9 implementation?
If not, should we go ahead and use the JVM-provided UTF-8 decoder when
we detect a suitable version of Java? Or is it simply not worth it?

Sadly, the OpenJDK license is GPL, so we can't simply use their code in
Tomcat. :(

> The issue is that incorrect decoding can lead to 'unexpected' behaviour
> when parsing URLs (read some form of security vulnerability).

Ack.

Thanks,
-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message