Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-8056

GroovyCodeSource(URL) can leak a file handler

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.8
    • Fix Version/s: 2.4.12
    • Component/s: None
    • Labels:
      None

      Description

      When GroovyCodeSource is created from a URL it calls url.openConnection.getContentEncoding(). When it's a file: URL, this causes a FileInputStream to be opened and never closed. The stack trace for it being opened is:

      at java.io.FileInputStream.<init>(Unknown Source)
      	at java.io.FileInputStream.<init>(Unknown Source)
      	at sun.net.www.protocol.file.FileURLConnection.connect(Unknown Source)
      	at sun.net.www.protocol.file.FileURLConnection.initializeHeaders(Unknown Source)
      	at sun.net.www.protocol.file.FileURLConnection.getHeaderField(Unknown Source)
      	at java.net.URLConnection.getContentEncoding(Unknown Source)
      	at groovy.lang.GroovyCodeSource.<init>(GroovyCodeSource.java:176)
      	at groovy.text.markup.MarkupTemplateEngine$MarkupTemplateMaker.<init>(MarkupTemplateEngine.java:222)
      	at groovy.text.markup.MarkupTemplateEngine.createTemplateByPath(MarkupTemplateEngine.java:145)
      

      I believe that keeping a local reference to the URLConnection and then calling getInputStream().close() on it will fix the problem.

      For reference this is the Spring Boot issues where the problem was originally reported.

        Issue Links

          Activity

          Hide
          blackdrag Jochen Theodorou added a comment -

          Yes, this should not happen... I hope that this then really solves the problem on the spring-boot side, since Windows tends to not close file handles right away and just because we close may not mean windows closes it at that time too. But anyway, this needs to be fixed

          Show
          blackdrag Jochen Theodorou added a comment - Yes, this should not happen... I hope that this then really solves the problem on the spring-boot side, since Windows tends to not close file handles right away and just because we close may not mean windows closes it at that time too. But anyway, this needs to be fixed
          Hide
          jwagenleitner John Wagenleitner added a comment -

          I think getContentEncoding() is not correct since we are looking for a charset but it returns how the content is compressed (i.e., gzip, deflate) that is specified in the Content-Encoding HTTP Header.

          To obtain a charset it's the getContentType() value and it's in the form (when it's present) text/html; charset=UTF-8. Futher, I think we could skip this call completely if "file".equals(url.getProtocol()) since no Content-Type header will be available.

          Show
          jwagenleitner John Wagenleitner added a comment - I think getContentEncoding() is not correct since we are looking for a charset but it returns how the content is compressed (i.e., gzip, deflate) that is specified in the Content-Encoding HTTP Header . To obtain a charset it's the getContentType() value and it's in the form (when it's present) text/html; charset=UTF-8 . Futher, I think we could skip this call completely if "file".equals(url.getProtocol()) since no Content-Type header will be available.
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user jwagenleitner opened a pull request:

          https://github.com/apache/groovy/pull/500

          GROOVY-8056: GroovyCodeSource(URL) can leak a file handler

          URLConnect.getContentEncoding returns the Content-Encoding
          HTTP Header [1] which is not a charset. Since this method would
          have either returned null or an invalid charset, the code path
          specifying the encoding would normally not have been executed.
          The charset may be contained in the Content-Type header, but
          rather than attempt to parse that string which would require
          closing the connection, this fix avoids opening the connection
          and relies on the default charset.

          [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/jwagenleitner/groovy groovy8056-content-encoding

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/groovy/pull/500.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #500


          commit 29a641ccc212d397bdc11d3a995763b88dfe34b5
          Author: John Wagenleitner <jwagenleitner@apache.org>
          Date: 2017-02-19T00:22:49Z

          GROOVY-8056: GroovyCodeSource(URL) can leak a file handler

          URLConnect.getContentEncoding returns the Content-Encoding
          HTTP Header [1] which is not a charset. Since this method would
          have either returned null or an invalid charset, the code path
          specifying the encoding would normally not have been executed.
          The charset may be contained in the Content-Type header, but
          rather than attempt to parse that string which would require
          closing the connection, this fix avoids opening the connection
          and relies on the default charset.

          [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user jwagenleitner opened a pull request: https://github.com/apache/groovy/pull/500 GROOVY-8056 : GroovyCodeSource(URL) can leak a file handler URLConnect.getContentEncoding returns the Content-Encoding HTTP Header [1] which is not a charset. Since this method would have either returned null or an invalid charset, the code path specifying the encoding would normally not have been executed. The charset may be contained in the Content-Type header, but rather than attempt to parse that string which would require closing the connection, this fix avoids opening the connection and relies on the default charset. [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11 You can merge this pull request into a Git repository by running: $ git pull https://github.com/jwagenleitner/groovy groovy8056-content-encoding Alternatively you can review and apply these changes as the patch at: https://github.com/apache/groovy/pull/500.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #500 commit 29a641ccc212d397bdc11d3a995763b88dfe34b5 Author: John Wagenleitner <jwagenleitner@apache.org> Date: 2017-02-19T00:22:49Z GROOVY-8056 : GroovyCodeSource(URL) can leak a file handler URLConnect.getContentEncoding returns the Content-Encoding HTTP Header [1] which is not a charset. Since this method would have either returned null or an invalid charset, the code path specifying the encoding would normally not have been executed. The charset may be contained in the Content-Type header, but rather than attempt to parse that string which would require closing the connection, this fix avoids opening the connection and relies on the default charset. [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user jwagenleitner opened a pull request:

          https://github.com/apache/groovy/pull/557

          GROOVY-8056: GroovyCodeSource(URL) can leak a file handler

          A safer fix in terms of compatibility compared to PR #500.

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/jwagenleitner/groovy 8056-urlcon-leak

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/groovy/pull/557.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #557


          commit d99ff70a729448d75d3ca5b98c70733ba1ca428a
          Author: John Wagenleitner <jwagenleitner@apache.org>
          Date: 2017-06-03T14:50:41Z

          GROOVY-8056: GroovyCodeSource(URL) can leak a file handler


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user jwagenleitner opened a pull request: https://github.com/apache/groovy/pull/557 GROOVY-8056 : GroovyCodeSource(URL) can leak a file handler A safer fix in terms of compatibility compared to PR #500. You can merge this pull request into a Git repository by running: $ git pull https://github.com/jwagenleitner/groovy 8056-urlcon-leak Alternatively you can review and apply these changes as the patch at: https://github.com/apache/groovy/pull/557.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #557 commit d99ff70a729448d75d3ca5b98c70733ba1ca428a Author: John Wagenleitner <jwagenleitner@apache.org> Date: 2017-06-03T14:50:41Z GROOVY-8056 : GroovyCodeSource(URL) can leak a file handler
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user jwagenleitner closed the pull request at:

          https://github.com/apache/groovy/pull/500

          Show
          githubbot ASF GitHub Bot added a comment - Github user jwagenleitner closed the pull request at: https://github.com/apache/groovy/pull/500
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user jwagenleitner closed the pull request at:

          https://github.com/apache/groovy/pull/557

          Show
          githubbot ASF GitHub Bot added a comment - Github user jwagenleitner closed the pull request at: https://github.com/apache/groovy/pull/557
          Hide
          jwagenleitner John Wagenleitner added a comment -

          Thanks for reporting the issue.

          Show
          jwagenleitner John Wagenleitner added a comment - Thanks for reporting the issue.

            People

            • Assignee:
              jwagenleitner John Wagenleitner
              Reporter:
              awilkinson Andy Wilkinson
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development