Bug 1133873

Summary:	The module "org.apache.commons.fileupload" should depend on "org.apache.commons.io".
Product:	[JBoss] JBoss Enterprise Portal Platform 6	Reporter:	indrajit <iingawal>
Component:	Portal	Assignee:	Nobody <nobody>
Status:	VERIFIED ---	QA Contact:	Tomas Kyjovsky <tkyjovsk>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.1.0	CC:	epp-bugs, jpallich, ppalaga
Target Milestone:	CR03
Target Release:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description indrajit 2014-08-26 11:11:38 UTC

Description of problem:

Apache states clearly in [1] that commons-fileupload-*.jar is a direct dependent on commons-io-*.jar but in $JPP_HOME/modules/system/layers/gatein/org/apache/commons/fileupload/main/module.xml file does not specify dependency of "org.apache.commons.io" module: 

[1] http://commons.apache.org/proper/commons-fileupload/dependencies.html

So getting below exceptions while executing parseRequest(request) method of class - org.apache.commons.fileupload.servlet.ServletFileUpload :

----------------------------------------
16:15:51,245 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/TestFileUpload].[FileUploadServlet]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet FileUploadServlet threw exception: java.lang.ClassNotFoundException: org.apache.commons.io.output.DeferredFileOutputStream from [Module "org.apache.commons.fileupload:main" from local module loader @4e3e95e6 (finder: local module finder @6ee3572b (roots: /NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules,/NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules/system/layers/gatein,/NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules/system/layers/base))]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:196) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:444) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:432) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:374) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:119) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.apache.commons.fileupload.disk.DiskFileItemFactory.createItem(DiskFileItemFactory.java:196) [commons-fileupload-1.2.1.jar:1.2.1]
	at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:358) [commons-fileupload-1.2.1.jar:1.2.1]
	at org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:126) [commons-fileupload-1.2.1.jar:1.2.1]
	at net.codejava.upload.FileUploadServlet.doPost(FileUploadServlet.java:89) [classes:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_10]

----------------------------------------

Version-Release number of selected component (if applicable):


How reproducible:

While using parseRequest(request) method of class - org.apache.commons.fileupload.servlet.ServletFileUpload. 

Use it like following in a code:

DiskFileItemFactory factory = new DiskFileItemFactory();

ServletFileUpload upload = new ServletFileUpload(factory);

List<FileItem> formItems = upload.parseRequest(request);


Steps to Reproduce:
1.
2.
3.

Actual results:

----------------------------------------
16:15:51,245 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/TestFileUpload].[FileUploadServlet]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet FileUploadServlet threw exception: java.lang.ClassNotFoundException: org.apache.commons.io.output.DeferredFileOutputStream from [Module "org.apache.commons.fileupload:main" from local module loader @4e3e95e6 (finder: local module finder @6ee3572b (roots: /NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules,/NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules/system/layers/gatein,/NotBackedUp/Portal_SBR/EPP_6/EPP-6.1.0/jboss-jpp-6.1.0_test/jboss-jpp-6.1/modules/system/layers/base))]
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:196) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:444) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:432) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:374) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:119) [jboss-modules.jar:1.2.2.Final-redhat-1]
	at org.apache.commons.fileupload.disk.DiskFileItemFactory.createItem(DiskFileItemFactory.java:196) [commons-fileupload-1.2.1.jar:1.2.1]
	at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:358) [commons-fileupload-1.2.1.jar:1.2.1]
	at org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:126) [commons-fileupload-1.2.1.jar:1.2.1]
	at net.codejava.upload.FileUploadServlet.doPost(FileUploadServlet.java:89) [classes:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.1.Final-redhat-10.jar:7.2.1.Final-redhat-10]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_10]

----------------------------------------


Expected results:

Getting executed successfully if you add a dependency of "org.apache.commons.io"
in module "org.apache.commons.fileupload" module.xml like following.


----------------------------------_
<module xmlns="urn:jboss:module:1.0" name="org.apache.commons.fileupload">
  <resources>
    <resource-root path="commons-fileupload-1.2.1.jar"/>
  </resources>

  <dependencies>
    <module name="javax.servlet.api"/>
    <module name="javax.portlet.api"/>


    <module name="org.apache.commons.io"/>


  </dependencies>
</module>

----------------------------------_

Additional info:

Comment 4 Lucas Ponce 2015-02-27 09:48:29 UTC

Fix sent to 3.8.x branch in upstream:

https://github.com/gatein/gatein-portal/pull/932

Comment 5 Peter Palaga 2015-02-27 21:57:21 UTC

https://github.com/gatein/gatein-portal/pull/932 was merged in upstream

Comment 6 Tomas Kyjovsky 2015-03-13 16:57:31 UTC

Not fixed in 6.2.0.ER9.

The test app doesn't work unless I manually add the dependency to the fileupload module:

    <module name="org.apache.commons.io"/>

Comment 7 Peter Palaga 2015-03-16 10:28:14 UTC

I checked that the changes from https://github.com/gatein/gatein-portal/pull/932 are available in the -prod tag 3.8.14.Final-prod-1 in file packaging/jboss/modules/src/main/resources/modules/org/apache/commons/fileupload/main/module.xml

So this is definitely a productization issue. 
Maybe our changes are overwritten by this patch?
packaging/jboss/pkg/src/main/patches/CVE-2014-0050/module.xml

Assigning to Honza

Comment 8 Tomas Kyjovsky 2015-04-13 11:56:27 UTC

Not fixed in ER10.