Bug 484760

Summary: Servlet forwarding with querystring parameters doesn't work in packaged tomcat tomcat6-6.0.16-6.4
Product: [openSUSE] openSUSE 11.1 Reporter: Dennis Steenstra <dennis.steenstra>
Component: JavaAssignee: Michal Vyskocil <mvyskocil>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P1 - Urgent CC: forgotten_1-yzHWP3HO
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 11.0   
Whiteboard: maint:released:11.0:25240 maint:released:11.1:25240 maint:released:sle11:25239
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 485933    
Attachments: webapp.rar
webapp war

Description Dennis Steenstra 2009-03-12 14:11:30 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.04 (hardy) Firefox/3.0.7

A developer is having problems with struts actions, they are creating a servlet forward with querystring parameters. Which doesn't work with the standard packaged tomcat6 supplied by opensuse's repo.

They do something like:
<forward name="activationSpecifyPassword" path="ChangePassword.do?requestOrigin=tempcred_set_pwd" />

When 'executing' this, the application cannot find the specified servlet. But other forwards without querystring parameters work fine.

Reproducible: Always

Steps to Reproduce:
- install standard opensuse 11.0
- zypper in tomcat6 java-1_5_0-sun
- build webapp with servlet forwards (i'm no developer, so i dont know how that works..) 
- execute it.. 
Actual Results:  
Servlet cannot be found

Expected Results:  
Servlet should have been executed/displayed.. 

A developer downloaded apache's binary core release of tomcat 6.0.16 and put that on the machine to test if that version had the same issue. Which it did not have.

After that, i downloaded the more recent 6.0.18 core binary, and replaced the opensuse's /usr/share/tomcat6/bin/ /usr/share/tomcat6/lib/ with the content from the apache version.

Restarted tomcat and now the issue has been resolved temporarily. But it would be nice if this could be fixxed, maybe repackage tomcat with 6.0.18?
Comment 1 Michal Vyskocil 2009-03-13 10:23:25 UTC 
JFI: the tomcat-6.0.18 is available in Java:packages

The problem seems to be related with a bad fix for CVE-2008-2370
Comment 2 Michal Vyskocil 2009-03-17 12:48:57 UTC 
I was unable to reproduce it for Struts. Even if the forwarding was broken - the following code return an error

ServletContext servletContext = session.getServletContext();
RequestDispatcher rd = servletContext.getRequestDispatcher("/test.jsp?arg=succeded");

rd.forward(request, response);

The requested resource (/test/test.jsp?arg=succeded) is not available.

The struts works well. The

<logic:redirect forward="welcome"/>

with
    <global-forwards>
        <forward                                        
            name="welcome"                              
            path="/Welcome.do?arg=succeded"/>           
    </global-forwards>

in WEB-INF/struts-config.xml works well.

Did you used a struts from distribution, or a third party one? Or can you give me a code snippet for test?
Comment 3 Forgotten User 1-yzHWP3HO 2009-03-19 07:08:06 UTC 
I have received information from development here. 

Before I upload it, I'll check what the legal status of the code is.
Comment 4 Forgotten User 1-yzHWP3HO 2009-03-19 07:16:06 UTC 
ok, checked it. It's OK.

instructions:


The included project is a maven project. You'll need maven if you want to build it. 

There are 3 actions to perform:

1) /action/Action1.do - this will forward to /action/Action2.do and then to helloWorld.jsp

2) /action/Action1.do?action=2b - this will forward to /action/Action2.do?action=2b and then a 404 is thrown

3) /action/Action1.do?action=2c - this will redirect to /action/Action2.do?action=2c and then to helloWorld.jsp

The two attachments needed, will follow.
Comment 5 Forgotten User 1-yzHWP3HO 2009-03-19 07:22:20 UTC 
Created attachment 280491 [details]
webapp.rar
Comment 6 Forgotten User 1-yzHWP3HO 2009-03-19 07:23:14 UTC 
Created attachment 280492 [details]
webapp war
Comment 7 Forgotten User 1-yzHWP3HO 2009-03-19 07:24:35 UTC 
if more information is needed, just holler.
Comment 8 Michal Vyskocil 2009-03-20 10:10:55 UTC 
Thanks for your example, I reproduced a bad behavior on unpatched tomcat6 and checked that a fix works. This issue will be released with prepared cumulative fix for tomcat6. See bug#485933 for details.

Assigning to me.
Comment 9 Michal Vyskocil 2009-06-10 14:58:39 UTC 
Was included into tomcat6 packages and will be delivered with
upcomming security update of tomcat.
Comment 10 Swamp Workflow Management 2009-06-10 16:32:46 UTC 
The SWAMPID for this issue is 25234.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/25234)
Comment 11 Swamp Workflow Management 2009-06-30 13:09:26 UTC 
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
openSUSE 11.0 (i386)
openSUSE 11.1 (i586)
Comment 12 Swamp Workflow Management 2009-06-30 22:08:43 UTC 
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)