This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 40957c80ba Fix BZ 70049. Align webapp with parent class loader for
invalid paths
40957c80ba is described below
commit 40957c80ba92cb2487f1d4c60adcb1f8d3b41a54
Author: Mark Thomas <[email protected]>
AuthorDate: Tue May 26 20:40:08 2026 +0100
Fix BZ 70049. Align webapp with parent class loader for invalid paths
---
.../catalina/loader/WebappClassLoaderBase.java | 30 ++++++++--
.../catalina/loader/TestWebappClassLoader.java | 69 ++++++++++++++++++++++
webapps/docs/changelog.xml | 6 ++
3 files changed, 100 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index b08512d9a6..257177f872 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -823,7 +823,13 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
String path = nameToPath(name);
if (!notFoundClassResources.contains(path)) {
- WebResource resource = resources.getClassLoaderResource(path);
+ WebResource resource;
+ try {
+ resource = resources.getClassLoaderResource(path);
+ } catch (IllegalArgumentException iae) {
+ notFoundClassResources.add(path);
+ return null;
+ }
if (resource.exists()) {
url = resource.getURL();
trackLastModified(path, resource);
@@ -871,11 +877,18 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
checkStateForResourceLoading(name);
- LinkedHashSet<URL> result = new LinkedHashSet<>();
-
String path = nameToPath(name);
- WebResource[] webResources = resources.getClassLoaderResources(path);
+ WebResource[] webResources;
+ try {
+ webResources = resources.getClassLoaderResources(path);
+ } catch (IllegalArgumentException iae) {
+ // For consistency with super.findResources(String)
+ return Collections.emptyEnumeration();
+ }
+
+ LinkedHashSet<URL> result = new LinkedHashSet<>();
+
for (WebResource webResource : webResources) {
if (webResource.exists()) {
result.add(webResource.getURL());
@@ -1024,7 +1037,14 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
}
String path = nameToPath(name);
if (!notFoundClassResources.contains(path)) {
- WebResource resource = resources.getClassLoaderResource(path);
+ WebResource resource;
+ try {
+ resource = resources.getClassLoaderResource(path);
+ } catch (IllegalArgumentException iae) {
+ notFoundClassResources.add(path);
+ return null;
+ }
+
if (resource.exists()) {
stream = resource.getInputStream();
// Filter out .class resources through the ClassFileTranformer
diff --git a/test/org/apache/catalina/loader/TestWebappClassLoader.java
b/test/org/apache/catalina/loader/TestWebappClassLoader.java
index cfb638375c..2850f27b20 100644
--- a/test/org/apache/catalina/loader/TestWebappClassLoader.java
+++ b/test/org/apache/catalina/loader/TestWebappClassLoader.java
@@ -20,6 +20,7 @@ import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
+import java.util.Enumeration;
import org.junit.Assert;
import org.junit.Test;
@@ -175,4 +176,72 @@ public class TestWebappClassLoader extends TomcatBaseTest {
URL u1 = cl.getResource("");
Assert.assertNotNull(u1);
}
+
+
+ @Test
+ public void testFindResourceEmptyString() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ URL u1 = cl.findResource("");
+ Assert.assertNotNull(u1);
+ }
+
+
+ @Test
+ public void testFindResourcesValid() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("org/apache/tomcat");
+ Assert.assertNotNull(urls);
+
+ Assert.assertTrue(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesDoesNotExist() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/not/exist");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesInvalid01() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/../../not/exist");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesInvalid02() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/not/exist/\u0000");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 99cda3b9f7..b917d2bfa7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -203,6 +203,12 @@
group creation that it does not immediately override existing elements.
Removal (or update) needs to be used instead. (remm)
</update>
+ <fix>
+ <bug>70049</bug>: Align the web application class loader with parent
+ class loaders and swallow any errors caused by invalid paths when
+ looking up resources and behave as if the resources were not found in
+ that case. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
