Bug 62049 - use of unimplemented RequestUtil method in Manager page
Summary: use of unimplemented RequestUtil method in Manager page
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Util (show other bugs)
Version: 9.0.4
Hardware: PC Linux
: P2 regression (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks: 63597
  Show dependency tree
 
Reported: 2018-01-26 13:20 UTC by syl20
Modified: 2019-07-23 09:35 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description syl20 2018-01-26 13:20:00 UTC
Hi,

Jasper's compilation of jsp 404 error page, in the manager app, fails.

The way : 
1/ Tomcat9 deployed on linux / openJDK8 (I think the problem is similar on windows / oracle JVM) ;
2/ Change conf/tomcat-users.xml to allow a user to access the manger (manager-status permission) ;
3/ Disable the RemoteAddrValve of the manager if you access it remotely (webapps/manager/META-INF/context.xml)
4/ run tomcat server
5/ wget the url http://[ip_tomcat:port]/manager/toto 

As toto does not exist, Jasper tries to compile webapps/manager/WEB-INF/jsp/404.jsp and fails with error "The method filter(String) is undefined for the type RequestUtil".

Here is the code that throws the exception (404.jsp file) :
...
RequestUtil.filter((String) request.getAttribute(
            "javax.servlet.error.request_uri"))
...
The class javax.servlet.http.HttpServletRequest.RequestUtil in catalina.jar archive only mentions the getRequestURL method. In previous versions (7.*), the filter method is well implemented. Other methods in this previous versions of RequestUtil class are marked as 'deprecated', but not the filter method.

So, I suggest 3 solutions :
1/ Just remove the filter call in 404.jsp file ; but we have to be careful with javascript injection by http parameters ;
2/ Re-implement the filter method in RequestUtil ;
3/ Write the 404.jsp a more static way, as 403.jsp file.

Thanks
Comment 1 Remy Maucherat 2018-01-29 15:55:29 UTC
The fix will be in Tomcat 9.0.5 and 8.5.28.