--- java/org/apache/catalina/security/SecurityClassLoad.java.orig	2014-07-24 18:29:38.830023000 -0400

+++ java/org/apache/catalina/security/SecurityClassLoad.java	2014-07-24 18:31:18.655356000 -0400

@@ -25,9 +25,7 @@

  *

  * @author Glenn L. Nielsen

  * @author Jean-Francois Arcand

- * @version $Id: SecurityClassLoad.java 1410548 2012-11-16 19:38:51Z markt $

  */

-

 public final class SecurityClassLoad {

     public static void securityClassLoad(ClassLoader loader)

@@ -41,6 +39,7 @@

         loadCoyotePackage(loader);

         loadLoaderPackage(loader);

         loadRealmPackage(loader);

+        loadServletsPackage(loader);

         loadSessionPackage(loader);

         loadUtilPackage(loader);

         loadValvesPackage(loader);

@@ -76,12 +75,6 @@

             "AsyncContextImpl$1");

         loader.loadClass

             (basePackage +

-            "AsyncContextImpl$PrivilegedGetTccl");

-        loader.loadClass

-            (basePackage +

-            "AsyncContextImpl$PrivilegedSetTccl");

-        loader.loadClass

-            (basePackage +

             "AsyncListenerWrapper");

         loader.loadClass

             (basePackage +

@@ -124,14 +117,24 @@

     }

+    private static final void loadServletsPackage(ClassLoader loader)

+            throws Exception {

+        final String basePackage = "org.apache.catalina.servlets.";

+        // Avoid a possible memory leak in the DefaultServlet when running with

+        // a security manager. The DefaultServlet needs to load an XML parser

+        // when running under a security manager. We want this to be loaded by

+        // the container rather than a web application to prevent a memory leak

+        // via web application class loader.

+        loader.loadClass(basePackage + "DefaultServlet");

+    }

+

+

     private static final void loadSessionPackage(ClassLoader loader)

         throws Exception {

         final String basePackage = "org.apache.catalina.session.";

         loader.loadClass

             (basePackage + "StandardSession");

         loader.loadClass

-            (basePackage + "StandardSession$PrivilegedSetTccl");

-        loader.loadClass

             (basePackage + "StandardSession$1");

         loader.loadClass

             (basePackage + "StandardManager$PrivilegedDoUnload");

@@ -280,10 +283,9 @@

         loader.loadClass(basePackage +

                 "util.net.NioBlockingSelector$BlockPoller$3");

         loader.loadClass(basePackage + "util.net.SSLSupport$CipherData");

-        loader.loadClass

-            (basePackage + "util.net.JIoEndpoint$PrivilegedSetTccl");

-        loader.loadClass

-            (basePackage + "util.net.AprEndpoint$PrivilegedSetTccl");

+        // security

+        loader.loadClass(basePackage + "util.security.PrivilegedGetTccl");

+        loader.loadClass(basePackage + "util.security.PrivilegedSetTccl");

     }

 }

--- java/org/apache/catalina/servlets/DefaultServlet.java.orig	2014-07-24 18:29:38.875020000 -0400

+++ java/org/apache/catalina/servlets/DefaultServlet.java	2014-07-24 18:31:18.695352000 -0400

@@ -14,8 +14,6 @@

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

-

-

 package org.apache.catalina.servlets;

@@ -34,6 +32,7 @@

 import java.io.Reader;

 import java.io.StringReader;

 import java.io.StringWriter;

+import java.security.AccessController;

 import java.util.ArrayList;

 import java.util.Iterator;

 import java.util.Locale;

@@ -76,11 +75,14 @@

 import org.apache.naming.resources.Resource;

 import org.apache.naming.resources.ResourceAttributes;

 import org.apache.tomcat.util.res.StringManager;

-

+import org.apache.tomcat.util.security.PrivilegedGetTccl;

+import org.apache.tomcat.util.security.PrivilegedSetTccl;

 import org.w3c.dom.Document;

 import org.xml.sax.InputSource;

 import org.xml.sax.SAXException;

 import org.xml.sax.ext.EntityResolver2;

+

+

 /**

  * 
The default resource-serving servlet for most web applications,

  * used to serve static resources such as HTML pages and images.

@@ -122,9 +124,7 @@

  * 

  * @author Craig R. McClanahan

  * @author Remy Maucherat

- * @version $Id: DefaultServlet.java 1301255 2012-03-15 22:47:40Z markt $

  */

-

 public class DefaultServlet

     extends HttpServlet {

@@ -132,10 +132,10 @@

     private static final DocumentBuilderFactory factory;

-    private static final SecureEntityResolver secureEntityResolver =

-            new SecureEntityResolver();

-    // ----------------------------------------------------- Instance Variables

+    private static final SecureEntityResolver secureEntityResolver;

+

+    // ----------------------------------------------------- Instance Variables

     /**

      * The debugging detail level for this servlet.

@@ -225,6 +225,11 @@

      */

     protected static final ArrayList<Range> FULL = new ArrayList<Range>();

+    /**

+     * Flag to determine if server information is presented.

+     */

+    protected boolean showServerInfo = true;

+

     // ----------------------------------------------------- Static Initializer

@@ -239,9 +244,16 @@

         urlEncoder.addSafeCharacter('.');

         urlEncoder.addSafeCharacter('*');

         urlEncoder.addSafeCharacter('/');

-        factory = DocumentBuilderFactory.newInstance();

-        factory.setNamespaceAware(true);

-        factory.setValidating(false);

+        

+        if (Globals.IS_SECURITY_ENABLED) {

+            factory = DocumentBuilderFactory.newInstance();

+            factory.setNamespaceAware(true);

+            factory.setValidating(false);

+            secureEntityResolver = new SecureEntityResolver();

+        } else {

+            factory = null;

+            secureEntityResolver = null;

+        }

     }

@@ -270,6 +282,7 @@

     protected static final int BUFFER_SIZE = 4096;

+

     // --------------------------------------------------------- Public Methods

@@ -345,6 +358,9 @@

             throw new UnavailableException("No resources");

         }

+        if (getServletConfig().getInitParameter("showServerInfo") != null) {

+            showServerInfo = Boolean.parseBoolean(getServletConfig().getInitParameter("showServerInfo"));

+        }

     }

@@ -1251,7 +1267,6 @@

     }

-

     /**

      *  Decide which way to render. HTML or XML.

      */

@@ -1259,13 +1274,15 @@

         throws IOException, ServletException {

         Source xsltSource = findXsltInputStream(cacheEntry.context);

-        if (xsltSource ==null) {

+

+        if (xsltSource == null) {

             return renderHtml(contextPath, cacheEntry);

         }

         return renderXml(contextPath, cacheEntry, xsltSource);

     }

+    

     /**

      * Return an InputStream to an HTML representation of the contents

      * of this directory.

@@ -1362,11 +1379,27 @@

             sb.append("]]></readme>");

         }

-

         sb.append("</listing>");

-

+        // Prevent possible memory leak. Ensure Transformer and

+        // TransformerFactory are not loaded from the web application.

+        ClassLoader original;

+        if (Globals.IS_SECURITY_ENABLED) {

+            PrivilegedGetTccl pa = new PrivilegedGetTccl();

+            original = AccessController.doPrivileged(pa);

+        } else {

+            original = Thread.currentThread().getContextClassLoader();

+        }

         try {

+            if (Globals.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa =

+                        new PrivilegedSetTccl(DefaultServlet.class.getClassLoader());

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(

+                        DefaultServlet.class.getClassLoader());

+            }

+

             TransformerFactory tFactory = TransformerFactory.newInstance();

             Source xmlSource = new StreamSource(new StringReader(sb.toString()));

             Transformer transformer = tFactory.newTransformer(xsltSource);

@@ -1379,6 +1412,13 @@

             return (new ByteArrayInputStream(stream.toByteArray()));

         } catch (TransformerException e) {

             throw new ServletException("XSL transformer error", e);

+        } finally {

+            if (Globals.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa = new PrivilegedSetTccl(original);

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(original);

+            }

         }

     }

@@ -1530,7 +1570,9 @@

             sb.append("
");

         }

-        sb.append("
").append(ServerInfo.getServerInfo()).append("
");

+        if (showServerInfo) {

+            sb.append("
").append(ServerInfo.getServerInfo()).append("
");

+        }

         sb.append("</body>\r\n");

         sb.append("</html>\r\n");

@@ -1588,7 +1630,7 @@

     /**

-     * Return the xsl template inputstream (if possible)

+     * Return a Source for the xsl template (if possible)

      */

     protected Source findXsltInputStream(DirContext directory)

         throws IOException {

@@ -1630,31 +1672,32 @@

         /*  Open and read in file in one fell swoop to reduce chance

          *  chance of leaving handle open.

          */

-       if (globalXsltFile != null) {

-          File f = validateGlobalXsltFile();

-          if (f != null ){

-              FileInputStream fis = null;

-              try {

-                 fis = new FileInputStream(f);

-                 byte b[] = new byte[(int)f.length()]; /* danger! */

-                 fis.read(b);

-                 return new StreamSource(new ByteArrayInputStream(b));

-              } finally {

-                  if (fis != null) {

-                      try {

-                          fis.close();

-                      } catch(IOException ioe) {

-                          // ignore

-                      }

-                  }

-              }

-           }

+        if (globalXsltFile != null) {

+            File f = validateGlobalXsltFile();

+            if (f != null){

+                FileInputStream fis = null;

+                try {

+                    fis = new FileInputStream(f);

+                    byte b[] = new byte[(int)f.length()]; /* danger! */

+                    fis.read(b);

+                    return new StreamSource(new ByteArrayInputStream(b));

+                } finally {

+                    if (fis != null) {

+                        try {

+                            fis.close();

+                        } catch (IOException ioe) {

+                            // Ignore

+                        }

+                    }

+                }

+            }

         }

         return null;

     }

+

     private File validateGlobalXsltFile() {

         File result = null;

@@ -1705,6 +1748,7 @@

         return candidate;

     }

+

     private Source secureXslt(InputStream is) {

         // Need to filter out any external entities

         Source result = null;

@@ -1740,7 +1784,6 @@

     // -------------------------------------------------------- protected Methods

-

     /**

      * Check if sendfile can be used.

      */

@@ -2240,9 +2283,6 @@

     }

-    // ------------------------------------------------------ Range Inner Class

-

-

     protected static class Range {

         public long start;

@@ -2259,6 +2299,7 @@

         }

     }

+

     /**

      * This is secure in the sense that any attempt to use an external entity

      * will trigger an exception.

@@ -2288,4 +2329,3 @@

         }

     }

 }

-

--- webapps/docs/changelog.xml.orig	2014-07-24 18:29:38.917021000 -0400

+++ webapps/docs/changelog.xml	2014-07-24 18:36:52.526481000 -0400

@@ -158,6 +158,15 @@

         <bug>55176</bug>: Correctly handle regular expressions within SSI

         expressions that contain an equals character. (markt)

       </fix>

+      <fix>

+        Ensure that a TLD parser obtained from the cache has the correct value

+        of blockExternal. (markt)

+      </fix>

+      <add>

+        Extend XML factory, parser etc. memory leak protection to cover some

+        additional locations where, theoretically, a memory leak could occur.

+        (markt)

+      </add>

     </changelog>

   </subsection>

   <subsection name="Coyote">

@@ -352,6 +361,10 @@

         request if the CRLF terminating the request line was split across

         multiple packets. Patch by Konstantin Preißer. (markt)

       </fix>

+      <fix>

+        Only create XML parsing objects if required and fix associated potential

+        memory leak in the default Servlet. (markt)

+      </fix>

     </changelog>

   </subsection>

   <subsection name="Jasper">

--- java/org/apache/jasper/xmlparser/ParserUtils.java.orig	2014-07-24 18:29:38.952016000 -0400

+++ java/org/apache/jasper/xmlparser/ParserUtils.java	2014-07-24 18:31:18.746354000 -0400

@@ -18,6 +18,7 @@

 import java.io.IOException;

 import java.io.InputStream;

+import java.security.AccessController;

 import javax.xml.parsers.DocumentBuilder;

 import javax.xml.parsers.DocumentBuilderFactory;

@@ -29,6 +30,8 @@

 import org.apache.tomcat.util.descriptor.DigesterFactory;

 import org.apache.tomcat.util.descriptor.LocalResolver;

 import org.apache.tomcat.util.descriptor.XmlErrorHandler;

+import org.apache.tomcat.util.security.PrivilegedGetTccl;

+import org.apache.tomcat.util.security.PrivilegedSetTccl;

 import org.w3c.dom.Comment;

 import org.w3c.dom.Document;

 import org.w3c.dom.NamedNodeMap;

@@ -36,7 +39,6 @@

 import org.w3c.dom.NodeList;

 import org.w3c.dom.Text;

 import org.xml.sax.EntityResolver;

-import org.xml.sax.ErrorHandler;

 import org.xml.sax.InputSource;

 import org.xml.sax.SAXException;

 import org.xml.sax.SAXParseException;

@@ -48,16 +50,10 @@

  * use a separate class loader for the parser to be used.

  *

  * @author Craig R. McClanahan

- * @version $Id: ParserUtils.java 1549529 2013-12-09 10:05:56Z markt $

  */

 public class ParserUtils {

     /**

-     * An error handler for use when parsing XML documents.

-     */

-    static ErrorHandler errorHandler = new XmlErrorHandler();

-

-    /**

      * An entity resolver for use when parsing XML documents.

      */

     static EntityResolver entityResolver;

@@ -99,15 +95,46 @@

         Document document = null;

         // Perform an XML parse of this document, via JAXP

+        ClassLoader original;

+        if (Constants.IS_SECURITY_ENABLED) {

+            PrivilegedGetTccl pa = new PrivilegedGetTccl();

+            original = AccessController.doPrivileged(pa);

+        } else {

+            original = Thread.currentThread().getContextClassLoader();

+        }

         try {

+            if (Constants.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa =

+                        new PrivilegedSetTccl(ParserUtils.class.getClassLoader());

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(

+                        ParserUtils.class.getClassLoader());

+            }

+            

             DocumentBuilderFactory factory =

                 DocumentBuilderFactory.newInstance();

             factory.setNamespaceAware(true);

             factory.setValidating(validating);

+            if (validating) {

+                // Enable DTD validation

+                factory.setFeature(

+                        "http://xml.org/sax/features/validation",

+                        true);

+                // Enable schema validation

+                factory.setFeature(

+                        "http://apache.org/xml/features/validation/schema",

+                        true);

+            }

             DocumentBuilder builder = factory.newDocumentBuilder();

             builder.setEntityResolver(entityResolverInstance);

-            builder.setErrorHandler(errorHandler);

+            XmlErrorHandler handler = new XmlErrorHandler();

+            builder.setErrorHandler(handler);

             document = builder.parse(is);

+            if (!handler.getErrors().isEmpty()) {

+                // throw the first to indicate there was a error during processing

+                throw handler.getErrors().iterator().next();

+            }

         } catch (ParserConfigurationException ex) {

             throw new JasperException

                 (Localizer.getMessage("jsp.error.parse.xml", location), ex);

@@ -124,6 +151,13 @@

         } catch (IOException io) {

             throw new JasperException

                 (Localizer.getMessage("jsp.error.parse.xml", location), io);

+        } finally {

+            if (Constants.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa = new PrivilegedSetTccl(original);

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(original);

+            }

         }

         // Convert the resulting document to a graph of TreeNodes

--- java/org/apache/jasper/compiler/JspDocumentParser.java.orig	2014-07-24 18:29:38.974016000 -0400

+++ java/org/apache/jasper/compiler/JspDocumentParser.java	2014-07-24 18:31:18.774352000 -0400

@@ -20,6 +20,7 @@

 import java.io.FileNotFoundException;

 import java.io.IOException;

 import java.io.InputStream;

+import java.security.AccessController;

 import java.util.Iterator;

 import java.util.List;

 import java.util.jar.JarFile;

@@ -35,6 +36,8 @@

 import org.apache.jasper.JspCompilationContext;

 import org.apache.tomcat.util.descriptor.DigesterFactory;

 import org.apache.tomcat.util.descriptor.LocalResolver;

+import org.apache.tomcat.util.security.PrivilegedGetTccl;

+import org.apache.tomcat.util.security.PrivilegedSetTccl;

 import org.xml.sax.Attributes;

 import org.xml.sax.InputSource;

 import org.xml.sax.Locator;

@@ -129,7 +132,7 @@

                 Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);

         boolean blockExternal;

         if (blockExternalString == null) {

-            blockExternal = Constants.IS_SECURITY_ENABLED;

+            blockExternal = true;

         } else {

             blockExternal = Boolean.parseBoolean(blockExternalString);

         }

@@ -1464,33 +1467,58 @@

         JspDocumentParser jspDocParser)

         throws Exception {

-        SAXParserFactory factory = SAXParserFactory.newInstance();

-

-        factory.setNamespaceAware(true);

-        // Preserve xmlns attributes

-        factory.setFeature(

-            "http://xml.org/sax/features/namespace-prefixes",

-            true);

-

-        factory.setValidating(validating);

-        if (validating) {

-            // Enable DTD validation

-            factory.setFeature(

-                    "http://xml.org/sax/features/validation",

-                    true);

-            // Enable schema validation

-            factory.setFeature(

-                    "http://apache.org/xml/features/validation/schema",

-                    true);

+        ClassLoader original;

+        if (Constants.IS_SECURITY_ENABLED) {

+            PrivilegedGetTccl pa = new PrivilegedGetTccl();

+            original = AccessController.doPrivileged(pa);

+        } else {

+            original = Thread.currentThread().getContextClassLoader();

         }

+        try {

+            if (Constants.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa =

+                        new PrivilegedSetTccl(JspDocumentParser.class.getClassLoader());

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(

+                        JspDocumentParser.class.getClassLoader());

+            }

+

+            SAXParserFactory factory = SAXParserFactory.newInstance();

-        // Configure the parser

-        SAXParser saxParser = factory.newSAXParser();

-        XMLReader xmlReader = saxParser.getXMLReader();

-        xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);

-        xmlReader.setErrorHandler(jspDocParser);

+            factory.setNamespaceAware(true);

+            // Preserve xmlns attributes

+            factory.setFeature(

+                "http://xml.org/sax/features/namespace-prefixes",

+                true);

-        return saxParser;

+            factory.setValidating(validating);

+            if (validating) {

+                // Enable DTD validation

+                factory.setFeature(

+                        "http://xml.org/sax/features/validation",

+                        true);

+                // Enable schema validation

+                factory.setFeature(

+                        "http://apache.org/xml/features/validation/schema",

+                        true);

+            }

+

+            // Configure the parser

+            SAXParser saxParser = factory.newSAXParser();

+            XMLReader xmlReader = saxParser.getXMLReader();

+            xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);

+            xmlReader.setErrorHandler(jspDocParser);

+

+            return saxParser;

+        } finally {

+            if (Constants.IS_SECURITY_ENABLED) {

+                PrivilegedSetTccl pa = new PrivilegedSetTccl(original);

+                AccessController.doPrivileged(pa);

+            } else {

+                Thread.currentThread().setContextClassLoader(original);

+            }

+        }

     }

     /*

--- java/org/apache/tomcat/util/security/PrivilegedGetTccl.java.orig	2014-07-24 18:59:42.923103000 -0400

+++ java/org/apache/tomcat/util/security/PrivilegedGetTccl.java	2014-07-24 18:56:17.729411000 -0400

@@ -0,0 +1,28 @@

+/*

+ * Licensed to the Apache Software Foundation (ASF) under one or more

+ * contributor license agreements.  See the NOTICE file distributed with

+ * this work for additional information regarding copyright ownership.

+ * The ASF licenses this file to You under the Apache License, Version 2.0

+ * (the "License"); you may not use this file except in compliance with

+ * the License.  You may obtain a copy of the License at

+ *

+ *      http://www.apache.org/licenses/LICENSE-2.0

+ *

+ * Unless required by applicable law or agreed to in writing, software

+ * distributed under the License is distributed on an "AS IS" BASIS,

+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+ * See the License for the specific language governing permissions and

+ * limitations under the License.

+ */

+package org.apache.tomcat.util.security;

+

+import java.security.PrivilegedAction;

+

+public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {

+    @Override

+    public ClassLoader run() {

+        return Thread.currentThread().getContextClassLoader();

+    }

+}

+

+

--- java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.orig	2014-07-24 18:59:42.928107000 -0400

+++ java/org/apache/tomcat/util/security/PrivilegedSetTccl.java	2014-07-24 18:56:17.736421000 -0400

@@ -0,0 +1,34 @@

+/*

+ * Licensed to the Apache Software Foundation (ASF) under one or more

+ * contributor license agreements.  See the NOTICE file distributed with

+ * this work for additional information regarding copyright ownership.

+ * The ASF licenses this file to You under the Apache License, Version 2.0

+ * (the "License"); you may not use this file except in compliance with

+ * the License.  You may obtain a copy of the License at

+ *

+ *      http://www.apache.org/licenses/LICENSE-2.0

+ *

+ * Unless required by applicable law or agreed to in writing, software

+ * distributed under the License is distributed on an "AS IS" BASIS,

+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+ * See the License for the specific language governing permissions and

+ * limitations under the License.

+ */

+package org.apache.tomcat.util.security;

+

+import java.security.PrivilegedAction;

+

+public class PrivilegedSetTccl implements PrivilegedAction<Void> {

+

+    private ClassLoader cl;

+

+    public PrivilegedSetTccl(ClassLoader cl) {

+        this.cl = cl;

+    }

+

+    @Override

+    public Void run() {

+        Thread.currentThread().setContextClassLoader(cl);

+        return null;

+    }

+}

\ No newline at end of file