-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/18/17 1:01 PM, Mark Thomas wrote: > On 17/05/2017 14:32, Michael Heinen wrote: >> I am currently migrating a web app from Tomcat 7.0.73 to 8.5.15. >> An embedded Tomcat is used on development systems. >> >> The web-inf/lib folder of the application contains a jar with a >> SAXParserFactory implementation. This SAXParserFactory is now >> used with TC 8.5 by the WebXmlParser in order to parse the >> web.xml (and fails unfortunately). The ServiceLoader finds the >> jar because the ParallelWebappClassLoader is used for the >> lookup. >> >> TC 7.0.73 uses the sun.misc.Launcher$AppClassLoader and does >> therefore not use the jar under web-inf\lib. It creates the >> webXml Digester in the init() phase of the stanrardContext. TC >> 8.5 does this in the startInternal() phase where the >> ParallelWebappClassLoader is instantiated and bound to the >> current thread. >> >> Specifying "javax.xml.parsers.SAXParserFactory" as VM param >> solves the issue of course. > > I think this is the fix that triggered this: > https://svn.apache.org/viewvc?view=revision&revision=1731216 > >> My question: Is this behaviour expected? > > It looks like an unintended side-effect of the change. > >> Should Tomcat use libraries of the web app for the startup of a >> context, here for web-xml parsing? > > The change has been in place for over a year and this is the first > problem we have seen. I'm curious, what exactly was the problem you > saw? > > I'd probably lean towards fixing this on the grounds that you want > to parsing of web.xml to be deterministic rather than dependent on > what may, or may not, be included in the app. > > What do others think? +1 Also, for an untrusted application (admittedly a minority use case), having Tomcat parse the app-provided XML with an application-provided XML parser might have security implications. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlkfAHIACgkQHPApP6U8 pFhZlQ//XXcwN31vZixekSO0tIqAa0Ekcas7jMngfIBlHh2AcIJlNy2qTdXvNPGO Fow/ZULS8dpZ5Elfd3CXUSrmq6tgbRJvA22MInsme1GfWLdBen4XfkKOS0RQrJIG h+VkNS46Yr0rCU9pNW/cHlGKYckDnigLkwGQWBND6pz02yJZ138lVruZlTOyq/e3 hOwgd25LJ7nmEEfIZ2ZqYRCTltOts4LSrZxmkrSiPs6ibLU86ehbseBPo1j6nWoP g7LpLS6AZcJGIFlYaAMh9yN7twLv6dI9U8Qy7eZxb8BL7VBvV4zDNV1EqQqs15SY Y+ruSq13Oqk19KY3KaabCkeGI+dsP6sj0w7hQigdS9zrI8eiMITX+zxc8nBq/vbJ L169hW4UtCgo/a8YziUZCZYcBeH0D1cxyr5KWjS6FBsVF/tvtRm6vE6bKY2UNE4C 4oFIpcPcrU9kWMkkZxrMnt+c/E2MN4w6tL6C348RV931wLgePreqUPXu1cFlTgC5 B+qbZ4Ug6NVm+5bi4iY2eb+kzSwHcc9Ds1ILIsdhmLUhIWoV0P0Rfpd6mCgg41qL yy5eiLZ3Gi4NLqgMRHSbsrJCBm9pwbUc+sIbz9wElG6QPwUgwCpekvat1mM3KxDR eQtoqOD14qqfU8J+uKs7ViUVzylTCip1IGqv/BoXMqc4/dE5giw= =HlM/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
