You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/02/06 02:12:52 UTC

[Bug 62080] New: EL Util class should have doPrivledge block

https://bz.apache.org/bugzilla/show_bug.cgi?id=62080

            Bug ID: 62080
           Summary: EL Util class should have doPrivledge block
           Product: Tomcat 9
           Version: unspecified
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: EL
          Assignee: dev@tomcat.apache.org
          Reporter: jsartoris@hotmail.com
  Target Milestone: -----

The javax.el.Util class can lead to an AccessControlException in the
getExpressionFactory() method is security is enabled.

I believe the call to get the classloader:

ClassLoader tccl = Thread.currentThread().getContextClassLoader();

should be wrapped in a doPrivileged block:


ClassLoader tccl;
        if (System.getSecurityManager() != null) {
            tccl = AccessController.doPrivileged(new
PrivilegedAction<ClassLoader>() {
                @Override
                public ClassLoader run() {
                    return Thread.currentThread().getContextClassLoader();
                }
            });
        } else {
            tccl = Thread.currentThread().getContextClassLoader();
        }

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62080] EL Util class should have doPrivileged block

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62080

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
My local testing found that the class loader structure would need to be fairly
unusual to trigger this issue. I therefore opted to wrap all the requests for
the TCCL in a privileged action to ensure that all use cases were covered. 

Fixed in:
- trunk for 9.0.9 onwards
- 8.5.x for 8.5.32 onwards
- 8.0.x for 8.0.53 onwards
- 7.0.x for 7.0.89 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62080] EL Util class should have doPrivledge block

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62080

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO
                 OS|                            |All

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Can you provide a simple test case that demonstrates the problem?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62080] EL Util class should have doPrivileged block

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62080

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|EL Util class should have   |EL Util class should have
                   |doPrivledge block           |doPrivileged block

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 62080] EL Util class should have doPrivileged block

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62080

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
I've spent a little time looking a this. It isn't going to occur in normal
Tomcat usage. It may occur if el-api.jar and jasper-el.jar are used
independently. I'm working on a fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org