| Summary: | EL Util class should have doPrivileged block | ||
|---|---|---|---|
| Product: | Tomcat 9 | Reporter: | Jay S <jsartoris> |
| Component: | EL | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | ----- | ||
| Hardware: | PC | ||
| OS: | All | ||
Can you provide a simple test case that demonstrates the problem? I've spent a little time looking a this. It isn't going to occur in normal Tomcat usage. It may occur if el-api.jar and jasper-el.jar are used independently. I'm working on a fix. My local testing found that the class loader structure would need to be fairly unusual to trigger this issue. I therefore opted to wrap all the requests for the TCCL in a privileged action to ensure that all use cases were covered. Fixed in: - trunk for 9.0.9 onwards - 8.5.x for 8.5.32 onwards - 8.0.x for 8.0.53 onwards - 7.0.x for 7.0.89 onwards |
The javax.el.Util class can lead to an AccessControlException in the getExpressionFactory() method is security is enabled. I believe the call to get the classloader: ClassLoader tccl = Thread.currentThread().getContextClassLoader(); should be wrapped in a doPrivileged block: ClassLoader tccl; if (System.getSecurityManager() != null) { tccl = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { @Override public ClassLoader run() { return Thread.currentThread().getContextClassLoader(); } }); } else { tccl = Thread.currentThread().getContextClassLoader(); }