This commit, https://github.com/apache/tomcat/commit/10a1a6d46d952bab4dfde44c3c0de12b0330da79, that appeared in 9.0.71 made changes to MessageBytes.toString() that cause a serious regression under some circumstances. This is preventing us from upgrading to later Tomcat releases to pick up security fixes. If the MessageByte object is of type T_BYTES or T_CHARS, it gets converted to type T_STR. Although there is nothing in the general contract of toString() that prohibits modifying the object, it's an unexpected side-effect. The JavaDoc for MessageBytes.getType() explicitly says it returns "the type of the original content", so the change breaks that contract. But it's more serious than a mere disagreement with documentation. Some colleagues of mine were a few days ahead of me in investigating this problem (they were working with tomcat-embed-core and I was working woth Tomcat standalone). Most of this explanation is due to their research. If something calls MessageBytes.toString(), fragile assumptions elsewhere can fall apart. For example, if you use a Java agent like OpenTelemetry, it intercepts every request in order to obtain the URL path for logging. CoyoteAdapter.postParseRequest() then makes a mistake because the MessageBytes object changed from type T_BYTES to type T_STR, and this assumption is no longer true: /* * The URI is chars or String, and has been sent using an in-memory protocol handler. The following * assumptions are made: - req.requestURI() has been set to the 'original' non-decoded, non-normalized * URI - req.decodedURI() has been set to the decoded, normalized form of req.requestURI() */ The downstream result of that is a 404 response for every URL path. Experimentally, I found that simply removing the type reassignment, as seen here, was enough to resolve the immediate issue. State tracking in the MessageBytes class is a bit complicated, and I have not looked carefully to see if this proposed fix has any undesired consequences. /** * Compute the string value. * @return the string */ @Override public String toString() { switch (type) { case T_NULL: case T_STR: // No conversion required break; case T_BYTES: //type = T_STR; strValue = byteC.toString(); break; case T_CHARS: //type = T_STR; strValue = charC.toString(); break; } return strValue; }
The assumption in CoyoteAdater is still valid - assuming no-one is calling Tomcat internals. As soon as components start accessing Tomcat internals then all sorts of things can go wrong unless those components do so very carefully. Open Telemetry fixed this 9 months ago: https://github.com/open-telemetry/opentelemetry-java-instrumentation/commit/e526338fc3e0a172b74f0ced5b76cc47947bea88 It is a fair point about the change in behaviour of getType(). Not changing the type on a conversion shouldn't have any functional impact but that needs checking and it might have performance impacts.
I agree in general with the point about calling internals, but it is, after all, a documented API. Thanks for the pointer about OpenTelemetry's fix. We'll pursue that.
The API is also documented not to be stable. See the section on API stability in the RELEASE-NOTES.txt file that should be at the root of every Tomcat 9 distribution. That said, I do plan to look at the feasibility of restoring the behaviour described in the getType() Javadoc.
Fixed in: - 11.0.x for 11.0.0-M8 onwards - 10.1.x for 10.1.11 onwards - 9.0.x for 9.0.77 onwards - 8.5.x for 8.5.91 onwards
Thanks for the quick turnaround, Mark!