Page History

...

This noncompliant code example shows a vulnerability present in several versions of the Tomcat HTTP web server (fixed in version 6.0.20) , that allows untrusted web applications to override the default XML parser used by the system to process web.xml, context.xml, and tag library descriptor (TLD) files of other web applications deployed on the Tomcat instance. Consequently, untrusted web applications that install a parser could view and/or alter these files under certain circumstances.

The noncompliant code example shows the code associated with initialization of a new {{Digester}} instance in the {{org.apache.catalina.startup.ContextConfig}} class. "A {{Digester}} processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" \[[Tomcat 2009|AA. Bibliography#Tomcat 09]\].  The code to initialize the {{Digester}} follows:

...

The createWebDigester() method is responsible for creating the Digester. This method calls createWebXMLDigester(), which invokes the method DigesterFactory.newDigester(). Thie This method creates the new digester instance and sets a boolean flag useContextClassLoader to true.

...

The useContextClassLoader flag is used by Digester to decide which ClassLoader to use when loading new classes. When true, it uses the WebappClassLoader, which is untrusted , because it loads whatever classes are requested by various web applications.

...

The underlying problem is that the newInstance() method is being invoked on behalf of a web application's class loader, the WebappClassLoader, and it loads classes before Tomcat has loaded all the classes it needs. If a web application has loaded its own javax.xml.parsers.SAXParserFactory, then when Tomcat tries to access a SAXParserFactory, it will access the incorrect SaxParserFactory used by the web app , rather than the standard Java SAXParserFactory that it depends on.

...

In this compliant solution, Tomcat initializes the SAXParserFactory when it creates the Digester. This guarantees that the SAXParserFactory is constructed using the container's class loader , rather than the WebappClassLoader.

The webDigester is also marked final. This prevents any subclasses from assigning a new object reference to webDigester. (See OBJ10-J. Do not use public static non-final variables for more information.) It also prevents a race condition where another thread could access webDigester before it is fully initialized; see . (See OBJ11-J. Prevent access to partially initialized objects for more information.)

protected static final Digester webDigester = init();

protected Digester init() {
  Digester digester = createWebDigester();
  digester.getParser(); // Does not use the context Classloader at initialization, so safe
  return digester;
}

...

...