Bug 62049

Summary: use of unimplemented RequestUtil method in Manager page
Product: Tomcat 9 Reporter: syl20 <sylvain.catrix>
Component: UtilAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: regression    
Priority: P2    
Version: 9.0.4   
Target Milestone: -----   
Hardware: PC   
OS: Linux   
Bug Depends on:    
Bug Blocks: 63597    

Description syl20 2018-01-26 13:20:00 UTC
Hi,

Jasper's compilation of jsp 404 error page, in the manager app, fails.

The way : 
1/ Tomcat9 deployed on linux / openJDK8 (I think the problem is similar on windows / oracle JVM) ;
2/ Change conf/tomcat-users.xml to allow a user to access the manger (manager-status permission) ;
3/ Disable the RemoteAddrValve of the manager if you access it remotely (webapps/manager/META-INF/context.xml)
4/ run tomcat server
5/ wget the url http://[ip_tomcat:port]/manager/toto 

As toto does not exist, Jasper tries to compile webapps/manager/WEB-INF/jsp/404.jsp and fails with error "The method filter(String) is undefined for the type RequestUtil".

Here is the code that throws the exception (404.jsp file) :
...
RequestUtil.filter((String) request.getAttribute(
            "javax.servlet.error.request_uri"))
...
The class javax.servlet.http.HttpServletRequest.RequestUtil in catalina.jar archive only mentions the getRequestURL method. In previous versions (7.*), the filter method is well implemented. Other methods in this previous versions of RequestUtil class are marked as 'deprecated', but not the filter method.

So, I suggest 3 solutions :
1/ Just remove the filter call in 404.jsp file ; but we have to be careful with javascript injection by http parameters ;
2/ Re-implement the filter method in RequestUtil ;
3/ Write the 404.jsp a more static way, as 403.jsp file.

Thanks
Comment 1 Remy Maucherat 2018-01-29 15:55:29 UTC
The fix will be in Tomcat 9.0.5 and 8.5.28.