Opened 10 years ago

Closed 9 years ago

#534 closed defect (wontfix)

"Illegal group reference" in JdbcResourceDao.replaceInString(

Reported by: Olaf Seibert 1 Owned by:
Priority: minor Milestone: DASISH backend
Component: DASISH backend Version:
Keywords: Cc: olhsha


The error message here is "Illegal group reference" in JdbcResourceDao?.replaceInString(JdbcResourceDao?.java:143)...
although I can't see quickly which string from my input is used here and considered incorrect.

Apparently there must be something that is used as a regex, or replacement for a regex, and looks like it refers back to a group in the regex.
Usually this is done with a syntax like \1, \2, or $1, $2, etc.
It would refer back to something between () in the regex, but the () aren't there.
Could it be the $% that is in the middle of <Recipient> in <xmlBody> ???
I have not experimented further at this time.

POST/PUT body:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<annotation xmlns=""
-0000-0000-000000000221" URI="">
            <ColTime xmlns:ns2="" xmlns=""
                    <Recipient>a.(dit is een kommentaar)b.&quot;&lt;!@#$%^&amp;*()&gt;&quot;c.d@e.f.g.h &lt;!-- bla! --&gt; &lt;![CDATA[ cdata ..]]&gt;</Recipient>
                <MediaFile ColTimeID="2bab6456-dd07-4319-9cdd-b8027c882086">unknown so far</MediaFile>
                <AnnotationFile ColTimeID="c14e75d1-de10-4b48-a634-394edd709673"
    <permissions public="read">
        <permission level="write"

response: HTTP/1.1 500 Internal Server Error

From my somewhat unreadable error log:

read: 0x3c '<'
read: 0x68 'h'
read: 0x74 't'
read: 0x6d 'm'
read: 2045 bytes: l><head><title>Apache Tomcat/6.0.36 - Error
ont-size:22px;} H2
ont-size:16px;} H3
ont-size:14px;} BODY
:12px;}A {color : black;} {color : black;}HR {color :
#525D76;}--></style> </head><body><h1>HTTP Status 500 - Illegal group
reference</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception
report</p><p><b>message</b> <u>Illegal group
reference</u></p><p><b>description</b> <u>The server encountered an
internal error ({0}) that prevented it from fulfilling this
<pre>java.lang.IllegalArgumentException: Illegal group reference
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Change History (6)

comment:1 Changed 10 years ago by DefaultCC Plugin

Cc: olhsha added

comment:2 Changed 10 years ago by

The xml is correct. The problem is in the row "&quot;&lt;!@#$%&amp;*()&gt;&quot;c.d@e.f.g.h &lt;!-- bla!--&gt; &lt;![CDATA[ cdata ..]]&gt;". I need to ask our Swedish colleagues to remind me which standard convertion we have to use. We need to add it formally to the spec.

comment:3 Changed 10 years ago by Olaf Seibert 1

A bit more analysis from my side:

Looking at the stack trace, the error happens inside java.lang.String.replaceAll(...).

String.replaceAll takes a regular expression (regex) as input (and for a replacement) and therefore some characters in it have special meaning.

The intention of the code is probably to do some plain text substitution and the fact that String.replaceAll() does regex replacement is rather annoying in this case. Client input is apparently used as replacement text and to make it safe, the code should escape $ and \ signs. The documentation for java.util.regex.Matcher.appendReplacement(StringBuffer? sb, String replacement) describes the replacement.

I haven't analyzed where either argument to replaceAll() comes from precisely, but if the search string is also derived from client input, the problem is even bigger. Then you need to escape just about anything that looks like punctuation. (Fortunately there is a method Pattern.quote(String) for that.)

I can reproduce the problem if I reduce my weird string to just "$%" and even just "$" will also do it.

Maybe there is some other function that is really just doing plain text replacement, that would be much simpler, safer and efficient.

comment:4 Changed 10 years ago by

i think I will use this advice to re-fix another bug you mentioned yesterday: replacing temporary identifiers (they are replaced only if they are composed from letters, numbers, -, and _).

As for this issue, there is a standard way to replace &quot; etc., which I have forgotten. Olof used it and it worked. Let us wait what he will answer.

comment:5 Changed 10 years ago by

fixed on localhost. Debugged version of the bug-fix

comment:6 Changed 9 years ago by Sander Maijers

Resolution: wontfix
Status: newclosed

The project has ended.

Note: See TracTickets for help on using tickets.