DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4138 Processor threads have inconsistent ClassLoader state [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | Summary|HttpProcessor threads have |Processor threads have |inconsistent ClassLoader |inconsistent ClassLoader |state |state ------- Additional Comments From [EMAIL PROTECTED] 2002-08-22 00:24 ------- I'd like to revisit this issue, now that it has been some time since it was originally reported. I still feel that this is technically a bug and it should get fixed in Tomcat's now more mature state. Also, rethinking this, this does appear to be a security vulnerability, because if the classloader remains to as the webapp classloader for the processor thread after the servlet finishes servicing, it's particularly vulnerable (given that all the server code the thread runs through has all the Java2 security permissions granted). The thread could load classes that the *webapp classloader* would try loading first (since that specific classloader type does not perform parent-first classloader delegation). Aside from all this, it's a code cleanliness and peace of mind issue. :) Thoughts? Here is the simple fix in class "org.apache.catalina.core.StandardHostValve": public void invoke(Request request, Response response, ValveContext valveContext) throws IOException, ServletException { // : // : // : // remember the current classloader for this thread ClassLoader origClassLoader = Thread.currentThread(). getContextClassLoader(); // set the context class loader for this thread before invoking // the context Thread.currentThread().setContextClassLoader(context.getLoader(). getClassLoader()); try { // have the context process this request context.invoke(request, response); } finally { // under ANY circumstance (regardless of exception occurring during // request processing), always perform the following: // restore the original classloader for this thread Thread.currentThread().setContextClassLoader(origClassLoader); } } -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
