60925 – Running with SecurityManager - Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade

Bug 60925 - Running with SecurityManager - Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade

Summary: Running with SecurityManager - Property 'serverInfo' not found on type org.ap...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	EL (show other bugs)
Version:	8.5.12
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-03-27 23:01 UTC by Konstantin Kolinko
Modified:	2017-03-29 18:21 UTC (History)
CC List:	0 users

Attachments
localhost.2017-03-28.log (5.95 KB, text/plain) 2017-03-27 23:01 UTC, Konstantin Kolinko	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Konstantin Kolinko 2017-03-27 23:01:30 UTC

Created attachment 34884 [details]
localhost.2017-03-28.log

Noted when smoke-testing 8.5.13 RC, but this is reproducible with released 8.5.12 as well, so it is not a regression.

Steps to reproduce:
1. Start Tomcat 8.5 with security manager enabled
catalina.bat start -security

2. Access the root page,
http://localhost:8080/

It fails with error 500.
Stacktrace from 8.5.13:

javax.el.PropertyNotFoundException: Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade
 at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:259)
 at javax.el.BeanELResolver$BeanProperties.access$300(BeanELResolver.java:212)
 at javax.el.BeanELResolver.property(BeanELResolver.java:346)
 at javax.el.BeanELResolver.getValue(BeanELResolver.java:92)
 at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110)
 at org.apache.el.parser.AstValue.getValue(AstValue.java:169)
 at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
 at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944)
 at org.apache.jsp.index_jsp._jspService(index_jsp.java:155)

See attached file with full stacktrace.


Notes:
1. This does not happen when running without SecurityManager.
2. This does not depends on version of java (occurs both with 7u80 and 8u121).


I have seen similar errors when we were fixing CVE-2014-7810
(see thread from 2014-11-17), but it should have been fixed by r1644017
that improved javax.el.BeanELResolver.

Comment 1 Konstantin Kolinko 2017-03-27 23:12:49 UTC

Tomcat 8.5.11 does not have this issue. The root page displays successfully.

Comment 2 Konstantin Kolinko 2017-03-27 23:32:29 UTC

I think that this is triggered by the change in r1784768,
that changed inheritance hierarchy in ApplicationContextFacade

and the cause is that the solution implemented in r1644017 is incomplete:
method BeanELResolver.populateFromInterfaces() does not enumerate parent interfaces of an interface.

Comment 3 Konstantin Kolinko 2017-03-29 13:07:58 UTC

For a record:
There exists a working temporary workaround for this issue:
grant permission to access the "core" package.

E.g. for this test scenario (the ROOT web application),
adding the following lines to catalina.policy file is sufficient:

grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core";
};

Comment 4 Mark Thomas 2017-03-29 18:21:41 UTC

To state the obvious, that work-around exposes a lot of Tomcat's internals to the web application.

Fixed in:
- trunk for 9.0.0.M20 onwards
- 8.5.x for 8.5.14 onwards
- 8.0.x for 8.0.44 onwards
- 7.0.x for 7.0.78 onwards