Jetty
  1. Jetty
  2. JETTY-1311

Jetty is vulnerable to JSP-2.1-Glassfish bug

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 8.0.0.M1
    • Fix Version/s: None
    • Component/s: JSP
    • Labels:
      None
    • Environment:
      All
    • Number of attachments :
      0

      Description

      Jetty uses jsp-2.1-glassfish jar from org.mortbay.jettyto provide JSP support. There is a bug in the glassfish JSP implementation in org.apache.jasper.servlet.JasperLoader.findClass:

      185            // If the bytecode preprocessor is not enabled, use super.findClass
      186   	       // as usual.
      187            if (!PreprocessorUtil.isPreprocessorEnabled()) {
      188                return super.findClass(className);
      189            }
      

      The thing is, that test for enabled preprocessor returns false in majority of cases and execution never goes to the loading bytecode from the file system. Call to URLClassLoader.findClass simply throws a ClassNotFound exception (resulting in HTTP 500 later on).

      Of course most of the time class for JSP either loaded or its bytecode exists in the memory. But still there are cases (for very rarely used page) to hit this path. For that reason there is no solid repro for this bug. The only condition I am aware about, is that any JSP page should not be hit for several weeks.

      Lines 185-190 can be safely removed. Or Jetty may use other JSP library.

        Activity

        Greg Wilkins made changes -
        Field Original Value New Value
        Assignee Jan Bartel [ janb ]
        Hide
        Jan Bartel added a comment -

        Aleksey,

        The HEAD of jetty-8 currently uses version 2.2.2-b05 of glassfish jsp, which has this code snippet commented out, so is not vulnerable to this problem.

        I would anticipate that M3 of jetty-8 will release with this version of glassfish jsp, however, we have started thinking about a shift to the same jsp version that Tomcat uses .... stay tuned for more info.

        Show
        Jan Bartel added a comment - Aleksey, The HEAD of jetty-8 currently uses version 2.2.2-b05 of glassfish jsp, which has this code snippet commented out, so is not vulnerable to this problem. I would anticipate that M3 of jetty-8 will release with this version of glassfish jsp, however, we have started thinking about a shift to the same jsp version that Tomcat uses .... stay tuned for more info.
        Hide
        Aleksey Vorona added a comment -

        The project, in which we are using Jetty was running on Jetty 6.1H.10 at the time I opened the bug. It uses 6.1.25 now. I've checked HEAD of 7.x branch for the fix at the time I filed the bug and it was not there.

        Our project is almost there to migrate to Jetty 7.x. But 8.x migration is questionable...

        Thank you for looking into it.

        Show
        Aleksey Vorona added a comment - The project, in which we are using Jetty was running on Jetty 6.1H.10 at the time I opened the bug. It uses 6.1.25 now. I've checked HEAD of 7.x branch for the fix at the time I filed the bug and it was not there. Our project is almost there to migrate to Jetty 7.x. But 8.x migration is questionable... Thank you for looking into it.
        Hide
        Jan Bartel added a comment -

        Aleksey,

        I'll close this issue for now as both jetty-7 and jetty-8 appear to use a version of glassfish jsp that does not have the problem.

        thanks
        Jan

        Show
        Jan Bartel added a comment - Aleksey, I'll close this issue for now as both jetty-7 and jetty-8 appear to use a version of glassfish jsp that does not have the problem. thanks Jan
        Jan Bartel made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]

          People

          • Assignee:
            Jan Bartel
            Reporter:
            Aleksey Vorona
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: