This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 3617ad99d7 Fix BZ 70049. Align webapp with parent class loader for
invalid paths
3617ad99d7 is described below
commit 3617ad99d745f45ea4b0cd3195fcbac5c87a495f
Author: Mark Thomas <[email protected]>
AuthorDate: Tue May 26 20:40:08 2026 +0100
Fix BZ 70049. Align webapp with parent class loader for invalid paths
---
.../catalina/loader/WebappClassLoaderBase.java | 30 ++++++++--
.../catalina/loader/TestWebappClassLoader.java | 69 ++++++++++++++++++++++
webapps/docs/changelog.xml | 6 ++
3 files changed, 100 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 24cab422fa..68b3b1ff2c 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -963,7 +963,13 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
String path = nameToPath(name);
if (!notFoundClassResources.contains(path)) {
- WebResource resource = resources.getClassLoaderResource(path);
+ WebResource resource;
+ try {
+ resource = resources.getClassLoaderResource(path);
+ } catch (IllegalArgumentException iae) {
+ notFoundClassResources.add(path);
+ return null;
+ }
if (resource.exists()) {
url = resource.getURL();
trackLastModified(path, resource);
@@ -1011,11 +1017,18 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
checkStateForResourceLoading(name);
- LinkedHashSet<URL> result = new LinkedHashSet<>();
-
String path = nameToPath(name);
- WebResource[] webResources = resources.getClassLoaderResources(path);
+ WebResource[] webResources;
+ try {
+ webResources = resources.getClassLoaderResources(path);
+ } catch (IllegalArgumentException iae) {
+ // For consistency with super.findResources(String)
+ return Collections.emptyEnumeration();
+ }
+
+ LinkedHashSet<URL> result = new LinkedHashSet<>();
+
for (WebResource webResource : webResources) {
if (webResource.exists()) {
result.add(webResource.getURL());
@@ -1164,7 +1177,14 @@ public abstract class WebappClassLoaderBase extends
URLClassLoader
}
String path = nameToPath(name);
if (!notFoundClassResources.contains(path)) {
- WebResource resource = resources.getClassLoaderResource(path);
+ WebResource resource;
+ try {
+ resource = resources.getClassLoaderResource(path);
+ } catch (IllegalArgumentException iae) {
+ notFoundClassResources.add(path);
+ return null;
+ }
+
if (resource.exists()) {
stream = resource.getInputStream();
trackLastModified(path, resource);
diff --git a/test/org/apache/catalina/loader/TestWebappClassLoader.java
b/test/org/apache/catalina/loader/TestWebappClassLoader.java
index 2b3c9ca8d5..b2d7ee9d9e 100644
--- a/test/org/apache/catalina/loader/TestWebappClassLoader.java
+++ b/test/org/apache/catalina/loader/TestWebappClassLoader.java
@@ -20,6 +20,7 @@ import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.net.URLClassLoader;
+import java.util.Enumeration;
import org.junit.Assert;
import org.junit.Test;
@@ -175,4 +176,72 @@ public class TestWebappClassLoader extends TomcatBaseTest {
URL u1 = cl.getResource("");
Assert.assertNotNull(u1);
}
+
+
+ @Test
+ public void testFindResourceEmptyString() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ URL u1 = cl.findResource("");
+ Assert.assertNotNull(u1);
+ }
+
+
+ @Test
+ public void testFindResourcesValid() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("org/apache/tomcat");
+ Assert.assertNotNull(urls);
+
+ Assert.assertTrue(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesDoesNotExist() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/not/exist");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesInvalid01() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/../../not/exist");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
+
+
+ @Test
+ public void testFindResourcesInvalid02() throws Exception {
+ Tomcat tomcat = getTomcatInstanceTestWebapp(false, true);
+
+ Context c = (Context) tomcat.getHost().findChildren()[0];
+ WebappClassLoaderBase cl = (WebappClassLoaderBase)
c.getLoader().getClassLoader();
+
+ Enumeration<URL> urls = cl.findResources("does/not/exist/\u0000");
+ Assert.assertNotNull(urls);
+
+ Assert.assertFalse(urls.hasMoreElements());
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d8b6bd3b19..89aa7f26cc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -195,6 +195,12 @@
group creation that it does not immediately override existing elements.
Removal (or update) needs to be used instead. (remm)
</update>
+ <fix>
+ <bug>70049</bug>: Align the web application class loader with parent
+ class loaders and swallow any errors caused by invalid paths when
+ looking up resources and behave as if the resources were not found in
+ that case. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
