This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new 057158231c Fix BZ 66370 Change default for GET_CLASSLOADER_USE_PRIVILEGED 057158231c is described below commit 057158231c6b6c3cd7e273668ebcae6fa3c2d9c5 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Dec 15 17:17:04 2022 +0000 Fix BZ 66370 Change default for GET_CLASSLOADER_USE_PRIVILEGED When running on Tomcat the EL library is called from within a privileged block so the additional privileged block is unnecessary. When not on Tomcat, use the additional privileged block https://bz.apache.org/bugzilla/show_bug.cgi?id=66370 --- conf/catalina.properties | 4 ++++ java/javax/el/Util.java | 26 +++++++++++++++++++++++--- webapps/docs/changelog.xml | 12 ++++++++++++ 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/conf/catalina.properties b/conf/catalina.properties index a6c423a272..7a7184551e 100644 --- a/conf/catalina.properties +++ b/conf/catalina.properties @@ -215,3 +215,7 @@ tomcat.util.buf.StringCache.byte.enabled=true # Allow for changes to HTTP request validation # WARNING: Using this option may expose the server to CVE-2016-6816 #tomcat.util.http.parser.HttpParser.requestTargetAllow=| + +# Disable use of some privilege blocks Tomcat doesn't need since calls to the +# code in question are always already inside a privilege block +org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED=false diff --git a/java/javax/el/Util.java b/java/javax/el/Util.java index 58d16e8d77..70675f8eb7 100644 --- a/java/javax/el/Util.java +++ b/java/javax/el/Util.java @@ -43,8 +43,28 @@ class Util { private static final Class<?>[] EMPTY_CLASS_ARRAY = new Class<?>[0]; private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0]; - private static final boolean GET_CLASSLOADER_USE_PRIVILEGED = - Boolean.getBoolean("org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED"); + private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); + + private static final boolean GET_CLASSLOADER_USE_PRIVILEGED; + + static { + if (IS_SECURITY_ENABLED) { + // Defaults to using a privileged block + // When running on Tomcat this will be set to false in + // $CATALINA_BASE/conf/catalina.properties + String value = AccessController.doPrivileged(new PrivilegedAction<String>() { + @Override + public String run() { + return System.getProperty("org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED", "true"); + } + }); + GET_CLASSLOADER_USE_PRIVILEGED = Boolean.parseBoolean(value); + } else { + // No security manager - no need to use a privileged block. + GET_CLASSLOADER_USE_PRIVILEGED = false; + } + } + /** * Checks whether the supplied Throwable is one that needs to be @@ -652,7 +672,7 @@ class Util { static ClassLoader getContextClassLoader() { ClassLoader tccl; - if (System.getSecurityManager() != null && GET_CLASSLOADER_USE_PRIVILEGED) { + if (IS_SECURITY_ENABLED && GET_CLASSLOADER_USE_PRIVILEGED) { PrivilegedAction<ClassLoader> pa = new PrivilegedGetTccl(); tccl = AccessController.doPrivileged(pa); } else { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index f755cdaaf4..bae4a80798 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -149,6 +149,18 @@ </fix> </changelog> </subsection> + <subsection name="Jasper"> + <changelog> + <fix> + <bug>66370</bug>: Change the default of the + <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system + property to <code>true</code> unless the EL library is running on Tomcat + in which case the default remains <code>false</code> as the EL library + is already called from within a privileged block and skipping the + unnecessary privileged block improves performance. (markt) + </fix> + </changelog> + </subsection> <subsection name="Web applications"> <changelog> <fix> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org