Bug 62080

Summary: EL Util class should have doPrivileged block
Product: Tomcat 9 Reporter: Jay S <jsartoris>
Component: ELAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: unspecified   
Target Milestone: -----   
Hardware: PC   
OS: All   

Description Jay S 2018-02-06 02:12:52 UTC
The javax.el.Util class can lead to an AccessControlException in the getExpressionFactory() method is security is enabled.

I believe the call to get the classloader:

ClassLoader tccl = Thread.currentThread().getContextClassLoader();

should be wrapped in a doPrivileged block:

ClassLoader tccl;
        if (System.getSecurityManager() != null) {
            tccl = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
                public ClassLoader run() {
                    return Thread.currentThread().getContextClassLoader();
        } else {
            tccl = Thread.currentThread().getContextClassLoader();
Comment 1 Mark Thomas 2018-02-06 11:52:23 UTC
Can you provide a simple test case that demonstrates the problem?
Comment 2 Mark Thomas 2018-06-06 09:47:21 UTC
I've spent a little time looking a this. It isn't going to occur in normal Tomcat usage. It may occur if el-api.jar and jasper-el.jar are used independently. I'm working on a fix.
Comment 3 Mark Thomas 2018-06-06 10:53:25 UTC
My local testing found that the class loader structure would need to be fairly unusual to trigger this issue. I therefore opted to wrap all the requests for the TCCL in a privileged action to ensure that all use cases were covered. 

Fixed in:
- trunk for 9.0.9 onwards
- 8.5.x for 8.5.32 onwards
- 8.0.x for 8.0.53 onwards
- 7.0.x for 7.0.89 onwards