You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/22 02:24:30 UTC

DO NOT REPLY [Bug 4138] - Processor threads have inconsistent ClassLoader state

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138

Processor threads have inconsistent ClassLoader state

ruvinsky@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |
            Summary|HttpProcessor threads have  |Processor threads have
                   |inconsistent ClassLoader    |inconsistent ClassLoader
                   |state                       |state



------- Additional Comments From ruvinsky@yahoo.com  2002-08-22 00:24 -------
I'd like to revisit this issue, now that it has been some time since it was 
originally reported.  I still feel that this is technically a bug and it should 
get fixed in Tomcat's now more mature state.

Also, rethinking this, this does appear to be a security vulnerability, because 
if the classloader remains to as the webapp classloader for the processor 
thread after the servlet finishes servicing, it's particularly vulnerable 
(given that all the server code the thread runs through has all the Java2 
security permissions granted).  The thread could load classes that the *webapp 
classloader* would try loading first (since that specific classloader type does 
not perform parent-first classloader delegation).

Aside from all this, it's a code cleanliness and peace of mind issue.  :)  
Thoughts?

Here is the simple fix in class "org.apache.catalina.core.StandardHostValve":

    public void invoke(Request request, Response response,
                       ValveContext valveContext)
        throws IOException, ServletException {

        // :
        // :
        // :

        // remember the current classloader for this thread
        ClassLoader origClassLoader = Thread.currentThread().
                                             getContextClassLoader();

        // set the context class loader for this thread before invoking
        // the context
        Thread.currentThread().setContextClassLoader(context.getLoader().
                                                     getClassLoader());

        try {
            // have the context process this request
            context.invoke(request, response);
        } finally {
            // under ANY circumstance (regardless of exception occurring during
            // request processing), always perform the following:

            // restore the original classloader for this thread
            Thread.currentThread().setContextClassLoader(origClassLoader);
        }
    }

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>