Bug 45933 - Error processing TLD file in webapp with XML parser
Summary: Error processing TLD file in webapp with XML parser
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.27
Hardware: PC All
: P3 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 46549 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-10-01 23:51 UTC by Eddy Chan
Modified: 2009-06-03 13:56 UTC (History)
2 users (show)



Attachments
Test webapp that demonstrates error (801.61 KB, application/octet-stream)
2008-10-02 01:06 UTC, Eddy Chan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eddy Chan 2008-10-01 23:51:18 UTC
Along the same lines with CR 29936, com.apache.catalina.startup.TldConfig.tldDigester has an issue with initialization.  Basically, the TldConfig's parser can be initialized with the webapp's XML parser, which causes a security problem, since it has permission issues with reading files.  This is caused by a similar scenario to CR 29936:

1) Remove all stock webapps that come with the standard installation.  This
includes the ones in server/webapps.  Remember to remove the configurations in
conf/Catalina.
2) Add a webapp that has a XML parser located in WEB-INF/lib.  For instance,
one from sourceforge or Apache Xerces.
3) Add a library containing a .tld file in META-INF like Spring.
4) In order to actually have a log containing the error, you need to enable logging.  For example, by following the instructions laid out in http://tomcat.apache.org/tomcat-5.5-doc/logging.html.  I used log4j.
5) Start the appserver in secure mode.

You should see an error in the log similar to the following:

ERROR main org.apache.catalina.startup.TldConfig - Exception processing TLD META-INF/spring-form.tld in JAR at resource path TOMCAT_PATH/webapps/MY_WAR/WEB-INF/lib/spring.jar in context /MY_WAR
java.security.AccessControlException: access denied (java.io.FilePermission TOMCAT_PATH/common/lib/jsp-api.jar read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        at java.util.zip.ZipFile.<init>(ZipFile.java:109)
        at java.util.jar.JarFile.<init>(JarFile.java:133)
        at java.util.jar.JarFile.<init>(JarFile.java:70)
        at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:72)
        at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:48)
        at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:53)
        at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:104)
        at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:132)
        at java.net.URL.openStream(URL.java:1009)
        at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
        at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
        at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
        at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.DTDConfiguration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
        at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1562)
        at org.apache.catalina.startup.TldConfig.tldScanStream(TldConfig.java:514)
        at org.apache.catalina.startup.TldConfig.tldScanJar(TldConfig.java:472)
        at org.apache.catalina.startup.TldConfig.execute(TldConfig.java:307)
        at org.apache.catalina.core.StandardContext.processTlds(StandardContext.java:4307)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4144)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:122)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:144)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:738)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:831)
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:720)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1150)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:448)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)

Note that if you restart the appserver, you will need to remove the webapp's TLD cache located at "TOMCAT_PATH/work/Catalina/localhost/MY_WAR/tldCache.ser" to reproduce the error again.
Comment 1 Eddy Chan 2008-10-02 01:06:39 UTC
Created attachment 22666 [details]
Test webapp that demonstrates error
Comment 2 Mark Thomas 2008-10-02 04:18:41 UTC
I am unable to reproduce this. Looking at your stack trace the security exception is caused when trying to read jsp-api.jar. This jar should never be scanned as it is on the exclude list so I don't understand how you can be seeing this error.

Reviewing the code does show that there is an issue. Additionally, the XML validation settings of the first context precessed are used for all contexts. I can fix these issues based purely on code review but it would be nice to be able to confirm the fix with a test case.
Comment 3 Mark Thomas 2008-10-03 04:54:19 UTC
Ignore my previous. I now have a test case.

Thanks for the report. This has been fixed in trunk and proposed for 6.0.x and 5.5.x.
Comment 4 Mark Thomas 2009-01-31 00:26:49 UTC
This has been fixed 6.0.x and will be included in 6.0.19 onwards.
Comment 5 Mark Thomas 2009-04-08 10:20:50 UTC
*** Bug 46549 has been marked as a duplicate of this bug. ***
Comment 6 Mark Thomas 2009-06-03 13:56:05 UTC
The patch has been applied to 5.5.x and will be included in 5.5.28 onwards.