Bug 58946

Summary: ApplicationHttpRequest should enforce immutability of ParameterMap
Product: Tomcat 8 Reporter: Konstantin Kolinko <knst.kolinko>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 8.0.30   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2016-01-30 12:05:04 UTC
JavaDoc for ServletRequest.getParameterMap(), both ours and the one at Oracle site [1] says:

"Returns: an immutable java.util.Map containing [...]"

The problem is that this immutability is not enforced by org.apache.catalina.core.ApplicationHttpRequest class that is used to implement included or forwarded requests.

Note that org.apache.catalina.util.ParameterMap class used for usual (not forwarded) requests does enforce immutability. An example of message from that class is shown below.

Reproducible with current Tomcat 8.0-dev.

Steps to reproduce
1. Put the following two JSPs into ROOT web application:

<%@page contentType="text/plain;charset=UTF-8" import="java.util.*"%>
RequestDispatcher rd = request.getRequestDispatcher("test2.jsp");
rd.forward(request, response);

<%@page contentType="text/plain;charset=UTF-8" import="java.util.*"%>
Map map = request.getParameterMap();
map.put("foo", "bar");
<%= map %>

2. Call

The following response is observed:
{foo=bar, z=[Ljava.lang.String;@3877a5}

If I call the test2.jsp application directly, the behaviour is as expected:


HTTP Status 500 - An exception occurred processing JSP page /test2.jsp at line 4

root cause

java.lang.IllegalStateException: No modifications are allowed to a locked ParameterMap


I noticed this issue while performing code review,
inspired by a thread started 2016-01-19 on users mailing list [2].

[1] http://docs.oracle.com/javaee/7/api/javax/servlet/ServletRequest.html#getParameterMap--

[2] http://tomcat.markmail.org/thread/3hq4fghtoxcj44i5
Comment 1 Mark Thomas 2016-02-01 09:43:15 UTC
Fixed in 9.0.x for 9.0.0.M3, 8.0.x for 8.0.32, 7.0.x for 7.0.68 and 6.0.x for 6.0.44.