Bug 62080 - EL Util class should have doPrivileged block
Summary: EL Util class should have doPrivileged block
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: EL (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-02-06 02:12 UTC by Jay S
Modified: 2018-06-06 10:53 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jay S 2018-02-06 02:12:52 UTC
The javax.el.Util class can lead to an AccessControlException in the getExpressionFactory() method is security is enabled.

I believe the call to get the classloader:

ClassLoader tccl = Thread.currentThread().getContextClassLoader();

should be wrapped in a doPrivileged block:

ClassLoader tccl;
        if (System.getSecurityManager() != null) {
            tccl = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
                public ClassLoader run() {
                    return Thread.currentThread().getContextClassLoader();
        } else {
            tccl = Thread.currentThread().getContextClassLoader();
Comment 1 Mark Thomas 2018-02-06 11:52:23 UTC
Can you provide a simple test case that demonstrates the problem?
Comment 2 Mark Thomas 2018-06-06 09:47:21 UTC
I've spent a little time looking a this. It isn't going to occur in normal Tomcat usage. It may occur if el-api.jar and jasper-el.jar are used independently. I'm working on a fix.
Comment 3 Mark Thomas 2018-06-06 10:53:25 UTC
My local testing found that the class loader structure would need to be fairly unusual to trigger this issue. I therefore opted to wrap all the requests for the TCCL in a privileged action to ensure that all use cases were covered. 

Fixed in:
- trunk for 9.0.9 onwards
- 8.5.x for 8.5.32 onwards
- 8.0.x for 8.0.53 onwards
- 7.0.x for 7.0.89 onwards