Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-58180

Tomcat 9.0.14 and later breaks Emoticons

    XMLWordPrintable

    Details

      Description

      eh3. Issue Summary

      If you upgrade tomcat to version 9.0.14 - 9.0.19, emoticons are broken. Both emoticons on pages, and the emoticon browser do not load.

      Issues observed:

      1. Insert Emoticon Menu
      2. Emoticon on pages:
      3. Global Permission page:
      4. User icon link:

      Environment

      • Confluence 6.13.4, tomcat 9.0.14
      • Confluence 6.15.3 tomcat 9.0.17

      java -cp catalina.jar org.apache.catalina.util.ServerInfo
      In 6.15.2 the output looks like:

      Server version: Apache Tomcat/9.0.12
      Server built: Sep 4 2018 22:13:41 UTC
      Server number: 9.0.12.0*

      Steps to Reproduce

      1. Upgrade tomcat to 9.0.14 following directions here
      2. Step 2
        Edit a page and load the emoticon browser and observe that the images don't load

        Expected Results

      Emoticon images should load

      Actual Results

      emoticon images dont load

      Notes

      If you inspect a HAR file, you will see that in tomcat 9.0.13 and earlier, the content-type for the image is image/svg+xml;charset=UTF-8
      After upgrading to tomcat 9.0.14 the content-type is text/html;charset=UTF-8

      I checked the release notes for Tomcat 9.0.14, and it looks like the issue is caused by this change: "The default Servlet should not override a previously set content-type"

      (Optional - If Necessary)

      Workaround

      Workaround Warning

      The provided workaround of downgrading Tomcat to 9.0.12 restores SVG functionality, but leaves the instance exposed to CONFSERVER-58106: Update Confluence Server to use Tomcat 9.0.16 to address CVE-2019-0199 (fixed in Confluence Server 7.0.1, 6.15.3, 6.14.4, 6.13.5, 6.6.14, 6.15.4) which is fixed in Tomcat 9.0.16. For this reason, anyone who has undertaken the downgrade of Tomcat to restore functionality should plan an upgrade to Confluence 6.15.4 (or later) as a matter of urgency.

      Customers who have implemented header rewrite rules at the reverse proxy layer, and are continuing to run Tomcat 9.0.16 are protected from the above CVE.

      If you are unsure of your Tomcat version, you can use the below command to verify which version of Tomcat you're running. The command should be run from the <Confluence-Install>/lib directory

      Verify Tomcat Server Version
      java -cp catalina.jar org.apache.catalina.util.ServerInfo
      

      We have since released Confluence 6.15.4 which contains a fix for this issue. We recommend upgrading immediately if you're impacted by the issue.

      We no longer recommend the below workaround to downgrade Tomcat to 9.0.12, but it is available if required:

      1. Download the Tomcat 9.0.12 lib directory Tomcat-9-0-12-lib.zip , attached to this issue (alternatively you can download and extract the [apache-tomcat-9.0.12.zip or apache-tomcat-9.0.12.tar.gz|https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.12/bin/] from the Apache archives).
      2. Stop Confluence
      3. Back up your installation directory.
      4. Remove the contents of your existing <install-directory>/lib directory.
      5. Copy the contents of the downloaded lib directory to your existing <install-directory>/lib directory.
      6. Restart Confluence
      7. Go to General Configuration > System Information and confirm Confluence is now using Apache Tomcat 9.0.12.
      8. Edit a page and confirm that you can successfully insert an emoticon.

      Your browser may have cached the broken assets, so perform a hard refresh to confirm the fix has worked. If you suspect your users may also have cached broken assets, make a small change to your site colour scheme (for example change a colour and then change it back).

        Attachments

        1. Tomcat-9-0-12-lib.zip
          7.38 MB
        2. screenshot-4.png
          screenshot-4.png
          5 kB
        3. screenshot-3.png
          screenshot-3.png
          17 kB
        4. screenshot-2.png
          screenshot-2.png
          60 kB
        5. screenshot-1.png
          screenshot-1.png
          43 kB

          Issue Links

            Activity

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                8 weeks, 5 days ago