You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/22 02:24:30 UTC
DO NOT REPLY [Bug 4138] -
Processor threads have inconsistent ClassLoader state
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138
Processor threads have inconsistent ClassLoader state
ruvinsky@yahoo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
Summary|HttpProcessor threads have |Processor threads have
|inconsistent ClassLoader |inconsistent ClassLoader
|state |state
------- Additional Comments From ruvinsky@yahoo.com 2002-08-22 00:24 -------
I'd like to revisit this issue, now that it has been some time since it was
originally reported. I still feel that this is technically a bug and it should
get fixed in Tomcat's now more mature state.
Also, rethinking this, this does appear to be a security vulnerability, because
if the classloader remains to as the webapp classloader for the processor
thread after the servlet finishes servicing, it's particularly vulnerable
(given that all the server code the thread runs through has all the Java2
security permissions granted). The thread could load classes that the *webapp
classloader* would try loading first (since that specific classloader type does
not perform parent-first classloader delegation).
Aside from all this, it's a code cleanliness and peace of mind issue. :)
Thoughts?
Here is the simple fix in class "org.apache.catalina.core.StandardHostValve":
public void invoke(Request request, Response response,
ValveContext valveContext)
throws IOException, ServletException {
// :
// :
// :
// remember the current classloader for this thread
ClassLoader origClassLoader = Thread.currentThread().
getContextClassLoader();
// set the context class loader for this thread before invoking
// the context
Thread.currentThread().setContextClassLoader(context.getLoader().
getClassLoader());
try {
// have the context process this request
context.invoke(request, response);
} finally {
// under ANY circumstance (regardless of exception occurring during
// request processing), always perform the following:
// restore the original classloader for this thread
Thread.currentThread().setContextClassLoader(origClassLoader);
}
}
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>