tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 8.5: wrong classloader used during context startup?
Date Fri, 19 May 2017 14:25:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/18/17 1:01 PM, Mark Thomas wrote:
> On 17/05/2017 14:32, Michael Heinen wrote:
>> I am currently migrating a web app from Tomcat 7.0.73 to 8.5.15.
>> An embedded Tomcat is used on development systems.
>> 
>> The web-inf/lib folder of the application contains a jar with a 
>> SAXParserFactory implementation. This SAXParserFactory is now
>> used with TC 8.5 by the WebXmlParser in order to parse the
>> web.xml (and fails unfortunately). The ServiceLoader finds the
>> jar because the ParallelWebappClassLoader is used for the
>> lookup.
>> 
>> TC 7.0.73 uses the sun.misc.Launcher$AppClassLoader and does
>> therefore not use the jar under web-inf\lib. It creates the
>> webXml Digester in the init() phase of the stanrardContext. TC
>> 8.5 does this in the startInternal() phase where the
>> ParallelWebappClassLoader is instantiated and bound to the
>> current thread.
>> 
>> Specifying "javax.xml.parsers.SAXParserFactory" as VM param
>> solves the issue of course.
> 
> I think this is the fix that triggered this: 
> https://svn.apache.org/viewvc?view=revision&revision=1731216
> 
>> My question: Is this behaviour expected?
> 
> It looks like an unintended side-effect of the change.
> 
>> Should Tomcat use libraries of the web app for the startup of a 
>> context, here for web-xml parsing?
> 
> The change has been in place for over a year and this is the first 
> problem we have seen. I'm curious, what exactly was the problem you
> saw?
> 
> I'd probably lean towards fixing this on the grounds that you want
> to parsing of web.xml to be deterministic rather than dependent on
> what may, or may not, be included in the app.
> 
> What do others think?

+1

Also, for an untrusted application (admittedly a minority use case),
having Tomcat parse the app-provided XML with an application-provided
XML parser might have security implications.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkfAHIACgkQHPApP6U8
pFhZlQ//XXcwN31vZixekSO0tIqAa0Ekcas7jMngfIBlHh2AcIJlNy2qTdXvNPGO
Fow/ZULS8dpZ5Elfd3CXUSrmq6tgbRJvA22MInsme1GfWLdBen4XfkKOS0RQrJIG
h+VkNS46Yr0rCU9pNW/cHlGKYckDnigLkwGQWBND6pz02yJZ138lVruZlTOyq/e3
hOwgd25LJ7nmEEfIZ2ZqYRCTltOts4LSrZxmkrSiPs6ibLU86ehbseBPo1j6nWoP
g7LpLS6AZcJGIFlYaAMh9yN7twLv6dI9U8Qy7eZxb8BL7VBvV4zDNV1EqQqs15SY
Y+ruSq13Oqk19KY3KaabCkeGI+dsP6sj0w7hQigdS9zrI8eiMITX+zxc8nBq/vbJ
L169hW4UtCgo/a8YziUZCZYcBeH0D1cxyr5KWjS6FBsVF/tvtRm6vE6bKY2UNE4C
4oFIpcPcrU9kWMkkZxrMnt+c/E2MN4w6tL6C348RV931wLgePreqUPXu1cFlTgC5
B+qbZ4Ug6NVm+5bi4iY2eb+kzSwHcc9Ds1ILIsdhmLUhIWoV0P0Rfpd6mCgg41qL
yy5eiLZ3Gi4NLqgMRHSbsrJCBm9pwbUc+sIbz9wElG6QPwUgwCpekvat1mM3KxDR
eQtoqOD14qqfU8J+uKs7ViUVzylTCip1IGqv/BoXMqc4/dE5giw=
=HlM/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message