tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: High CPU usage with Utf8Decoder in 8.5.23
Date Mon, 09 Apr 2018 13:20:06 GMT

On 4/8/18 6:39 PM, Mark Thomas wrote:
> On 08/04/2018 21:29, Christopher Schultz wrote:
> <snip/>
>> Does Tomcat do its own UTF-8 decoding because the JVM doesn't have a
>> facility to convert from ByteBuffer to CharBuffer? That seems like
>> something the JVM really should be providing...
> No. It does it because the JRE UTF-8 decoder is buggy. Some bugs were
> fixed in Java 8 and the rest in Java 9 so we need this decoder until
> Java 9 is the minimum.

Gotcha. Are there any known remaining bugs in the Java 9 implementation?
If not, should we go ahead and use the JVM-provided UTF-8 decoder when
we detect a suitable version of Java? Or is it simply not worth it?

Sadly, the OpenJDK license is GPL, so we can't simply use their code in
Tomcat. :(

> The issue is that incorrect decoding can lead to 'unexpected' behaviour
> when parsing URLs (read some form of security vulnerability).



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message