Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.
On Mon, Mar 25, 2024 at 6:02 PM Christopher Schultz
wrote:
>
> Rémy,
>
> On 3/25/24 10:21, Rémy Maucherat wrote:
> > On Mon, Mar 25, 2024 at 2:32 PM Christopher Schultz
> > wrote:
> >>
> >> Rémy,
> >>
> >> On 3/22/24 11:39, Rémy Maucherat wrote:
> >>> On Fri, Mar 22, 2024 at 2:40 PM wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> schultz pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 988992ba2e Use server's ClassLoader instead of application's
> when loading XMLInputFactory.
> 988992ba2e is described below
>
> commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
> Author: Christopher Schultz
> AuthorDate: Fri Mar 22 09:37:08 2024 -0400
>
> Use server's ClassLoader instead of application's when loading
> XMLInputFactory.
> >>>
> >>> It doesn't work because there's nothing corresponding to the
> >>> XMLInputFactory.class.getName() id. The default newFactory doesn't do
> >>> the same thing at all.
> >>
> >> Ugh, sorry about that. Thanks for fixing it.
> >>
> >> Setting the ContextClassLoader seems like the wrong approach. Isn't
> >> there a ClassLoader parameter to getFactory for a reason?
> >
> > Feel free to revert it if you don't like it.
>
> Well, using the "obvious" solution didn't work, so ...
>
> I didn't realize that the JRE classes would use
> Thread.currentClassLoader for anything. Does this actually achieve the
> goal of preventing an XMLInputFactory leak? I should probably ask the
> reporter...
Yes, it ends up using SecuritySupport.getContextClassLoader(), which
returns either the context CL or the system CL (if null) using a
privileged action wrapper.
That's how it picks up the application class loader.
Rémy
>
> -chris
>
> java/org/apache/jasper/compiler/EncodingDetector.java | 3 ++-
> webapps/docs/changelog.xml| 5 +
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/jasper/compiler/EncodingDetector.java
> b/java/org/apache/jasper/compiler/EncodingDetector.java
> index bac9ade2ee..cf3b623104 100644
> --- a/java/org/apache/jasper/compiler/EncodingDetector.java
> +++ b/java/org/apache/jasper/compiler/EncodingDetector.java
> @@ -35,7 +35,8 @@ class EncodingDetector {
>
> private static final XMLInputFactory XML_INPUT_FACTORY;
> static {
> -XML_INPUT_FACTORY = XMLInputFactory.newInstance();
> +XML_INPUT_FACTORY =
> XMLInputFactory.newFactory(XMLInputFactory.class.getName(),
> +EncodingDetector.class.getClassLoader());
> }
>
> private final String encoding;
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index 341c3a6596..0eca891322 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -179,6 +179,11 @@
> and the web application is deployed as a WAR file rather than
> an
> unpacked directory. (markt)
>
> +
> +Prevent the web application's ClassLoader from being pinned by
> the JSP
> +compiler if an application uses a custom XMLInputFactory. Based
> upon a
> +suggestion from Simon Niederberger. (schultz)
> +
>
>
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
> >>>
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: dev-h...@tomcat.apache.org
> >>>
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: dev-h...@tomcat.apache.org
> >>
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.
Rémy,
On 3/25/24 10:21, Rémy Maucherat wrote:
On Mon, Mar 25, 2024 at 2:32 PM Christopher Schultz
wrote:
Rémy,
On 3/22/24 11:39, Rémy Maucherat wrote:
On Fri, Mar 22, 2024 at 2:40 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 988992ba2e Use server's ClassLoader instead of application's when
loading XMLInputFactory.
988992ba2e is described below
commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
Author: Christopher Schultz
AuthorDate: Fri Mar 22 09:37:08 2024 -0400
Use server's ClassLoader instead of application's when loading
XMLInputFactory.
It doesn't work because there's nothing corresponding to the
XMLInputFactory.class.getName() id. The default newFactory doesn't do
the same thing at all.
Ugh, sorry about that. Thanks for fixing it.
Setting the ContextClassLoader seems like the wrong approach. Isn't
there a ClassLoader parameter to getFactory for a reason?
Feel free to revert it if you don't like it.
Well, using the "obvious" solution didn't work, so ...
I didn't realize that the JRE classes would use
Thread.currentClassLoader for anything. Does this actually achieve the
goal of preventing an XMLInputFactory leak? I should probably ask the
reporter...
-chris
java/org/apache/jasper/compiler/EncodingDetector.java | 3 ++-
webapps/docs/changelog.xml| 5 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/jasper/compiler/EncodingDetector.java
b/java/org/apache/jasper/compiler/EncodingDetector.java
index bac9ade2ee..cf3b623104 100644
--- a/java/org/apache/jasper/compiler/EncodingDetector.java
+++ b/java/org/apache/jasper/compiler/EncodingDetector.java
@@ -35,7 +35,8 @@ class EncodingDetector {
private static final XMLInputFactory XML_INPUT_FACTORY;
static {
-XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+XML_INPUT_FACTORY =
XMLInputFactory.newFactory(XMLInputFactory.class.getName(),
+EncodingDetector.class.getClassLoader());
}
private final String encoding;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 341c3a6596..0eca891322 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -179,6 +179,11 @@
and the web application is deployed as a WAR file rather than an
unpacked directory. (markt)
+
+Prevent the web application's ClassLoader from being pinned by the JSP
+compiler if an application uses a custom XMLInputFactory. Based upon a
+suggestion from Simon Niederberger. (schultz)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.
On Mon, Mar 25, 2024 at 2:32 PM Christopher Schultz
wrote:
>
> Rémy,
>
> On 3/22/24 11:39, Rémy Maucherat wrote:
> > On Fri, Mar 22, 2024 at 2:40 PM wrote:
> >>
> >> This is an automated email from the ASF dual-hosted git repository.
> >>
> >> schultz pushed a commit to branch main
> >> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >>
> >>
> >> The following commit(s) were added to refs/heads/main by this push:
> >> new 988992ba2e Use server's ClassLoader instead of application's
> >> when loading XMLInputFactory.
> >> 988992ba2e is described below
> >>
> >> commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
> >> Author: Christopher Schultz
> >> AuthorDate: Fri Mar 22 09:37:08 2024 -0400
> >>
> >> Use server's ClassLoader instead of application's when loading
> >> XMLInputFactory.
> >
> > It doesn't work because there's nothing corresponding to the
> > XMLInputFactory.class.getName() id. The default newFactory doesn't do
> > the same thing at all.
>
> Ugh, sorry about that. Thanks for fixing it.
>
> Setting the ContextClassLoader seems like the wrong approach. Isn't
> there a ClassLoader parameter to getFactory for a reason?
Feel free to revert it if you don't like it.
Rémy
> -chris
>
> >
> > Rémy
> >
> >> ---
> >> java/org/apache/jasper/compiler/EncodingDetector.java | 3 ++-
> >> webapps/docs/changelog.xml| 5 +
> >> 2 files changed, 7 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/java/org/apache/jasper/compiler/EncodingDetector.java
> >> b/java/org/apache/jasper/compiler/EncodingDetector.java
> >> index bac9ade2ee..cf3b623104 100644
> >> --- a/java/org/apache/jasper/compiler/EncodingDetector.java
> >> +++ b/java/org/apache/jasper/compiler/EncodingDetector.java
> >> @@ -35,7 +35,8 @@ class EncodingDetector {
> >>
> >> private static final XMLInputFactory XML_INPUT_FACTORY;
> >> static {
> >> -XML_INPUT_FACTORY = XMLInputFactory.newInstance();
> >> +XML_INPUT_FACTORY =
> >> XMLInputFactory.newFactory(XMLInputFactory.class.getName(),
> >> +EncodingDetector.class.getClassLoader());
> >> }
> >>
> >> private final String encoding;
> >> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> >> index 341c3a6596..0eca891322 100644
> >> --- a/webapps/docs/changelog.xml
> >> +++ b/webapps/docs/changelog.xml
> >> @@ -179,6 +179,11 @@
> >> and the web application is deployed as a WAR file rather than an
> >> unpacked directory. (markt)
> >>
> >> +
> >> +Prevent the web application's ClassLoader from being pinned by
> >> the JSP
> >> +compiler if an application uses a custom XMLInputFactory. Based
> >> upon a
> >> +suggestion from Simon Niederberger. (schultz)
> >> +
> >>
> >>
> >>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: dev-h...@tomcat.apache.org
> >>
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.
Rémy,
On 3/22/24 11:39, Rémy Maucherat wrote:
On Fri, Mar 22, 2024 at 2:40 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
schultz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 988992ba2e Use server's ClassLoader instead of application's when
loading XMLInputFactory.
988992ba2e is described below
commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
Author: Christopher Schultz
AuthorDate: Fri Mar 22 09:37:08 2024 -0400
Use server's ClassLoader instead of application's when loading
XMLInputFactory.
It doesn't work because there's nothing corresponding to the
XMLInputFactory.class.getName() id. The default newFactory doesn't do
the same thing at all.
Ugh, sorry about that. Thanks for fixing it.
Setting the ContextClassLoader seems like the wrong approach. Isn't
there a ClassLoader parameter to getFactory for a reason?
-chris
Rémy
---
java/org/apache/jasper/compiler/EncodingDetector.java | 3 ++-
webapps/docs/changelog.xml| 5 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/jasper/compiler/EncodingDetector.java
b/java/org/apache/jasper/compiler/EncodingDetector.java
index bac9ade2ee..cf3b623104 100644
--- a/java/org/apache/jasper/compiler/EncodingDetector.java
+++ b/java/org/apache/jasper/compiler/EncodingDetector.java
@@ -35,7 +35,8 @@ class EncodingDetector {
private static final XMLInputFactory XML_INPUT_FACTORY;
static {
-XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+XML_INPUT_FACTORY =
XMLInputFactory.newFactory(XMLInputFactory.class.getName(),
+EncodingDetector.class.getClassLoader());
}
private final String encoding;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 341c3a6596..0eca891322 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -179,6 +179,11 @@
and the web application is deployed as a WAR file rather than an
unpacked directory. (markt)
+
+Prevent the web application's ClassLoader from being pinned by the JSP
+compiler if an application uses a custom XMLInputFactory. Based upon a
+suggestion from Simon Niederberger. (schultz)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) branch main updated: Use server's ClassLoader instead of application's when loading XMLInputFactory.
On Fri, Mar 22, 2024 at 2:40 PM wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> schultz pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 988992ba2e Use server's ClassLoader instead of application's when
> loading XMLInputFactory.
> 988992ba2e is described below
>
> commit 988992ba2e9a8e2c3db47ac960c2fa6c3fc7a8a4
> Author: Christopher Schultz
> AuthorDate: Fri Mar 22 09:37:08 2024 -0400
>
> Use server's ClassLoader instead of application's when loading
> XMLInputFactory.
It doesn't work because there's nothing corresponding to the
XMLInputFactory.class.getName() id. The default newFactory doesn't do
the same thing at all.
Rémy
> ---
> java/org/apache/jasper/compiler/EncodingDetector.java | 3 ++-
> webapps/docs/changelog.xml| 5 +
> 2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/jasper/compiler/EncodingDetector.java
> b/java/org/apache/jasper/compiler/EncodingDetector.java
> index bac9ade2ee..cf3b623104 100644
> --- a/java/org/apache/jasper/compiler/EncodingDetector.java
> +++ b/java/org/apache/jasper/compiler/EncodingDetector.java
> @@ -35,7 +35,8 @@ class EncodingDetector {
>
> private static final XMLInputFactory XML_INPUT_FACTORY;
> static {
> -XML_INPUT_FACTORY = XMLInputFactory.newInstance();
> +XML_INPUT_FACTORY =
> XMLInputFactory.newFactory(XMLInputFactory.class.getName(),
> +EncodingDetector.class.getClassLoader());
> }
>
> private final String encoding;
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index 341c3a6596..0eca891322 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -179,6 +179,11 @@
> and the web application is deployed as a WAR file rather than an
> unpacked directory. (markt)
>
> +
> +Prevent the web application's ClassLoader from being pinned by the
> JSP
> +compiler if an application uses a custom XMLInputFactory. Based upon
> a
> +suggestion from Simon Niederberger. (schultz)
> +
>
>
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
