LDEV-5305 - resolve race condition in loadClass() and standardize synchronization

michaeloffner · michaeloffner · commit 73ca7a1be941 · 2025-09-19T15:42:36.000+02:00
Move findLoadedClass() inside sync block and use getClassLoadingLock()
consistently to prevent TOCTOU race condition in class loading.
diff --git a/core/src/main/java/lucee/commons/lang/PhysicalClassLoader.java b/core/src/main/java/lucee/commons/lang/PhysicalClassLoader.java
@@ -133,7 +133,7 @@ public static PhysicalClassLoader getPhysicalClassLoader(Config c, Resource dire
 	public static PhysicalClassLoader getRPCClassLoader(Config c, JavaSettings js, boolean reload, ClassLoader parent) throws IOException {
 		String key = js == null ? "orphan" : ((JavaSettingsImpl) js).id();
 		if (parent != null) {
-			if (parent instanceof PhysicalClassLoader) key += "_" + ((PhysicalClassLoader) parent).id; 
+			if (parent instanceof PhysicalClassLoader) key += "_" + ((PhysicalClassLoader) parent).id;
 			else key += "_" + parent.hashCode();
 		}
 		PhysicalClassLoader rpccl = reload ? null : classLoaders.get(key);
@@ -248,7 +248,7 @@ private Class<?> loadClass(String name, boolean resolve, boolean loadFromFS, Cla
 		Class<?> c = findLoadedClass(name);
 
 		if (c == null) {
-			synchronized (SystemUtil.createToken("PhysicalClassLoader:load", name)) {
+			synchronized (getClassLoadingLock(name)) {
 				c = findLoadedClass(name);
 				if (c == null) {
 					ClassLoader pcl = getParent();
@@ -299,10 +299,8 @@ private Class<?> loadClass(String name, boolean resolve, boolean loadFromFS) thr
 
 	@Override
 	public Class<?> loadClass(String name, byte[] barr) throws UnmodifiableClassException {
-		// Class<?> clazz = null;
-		Class<?> clazz = findLoadedClass(name);
-
-		synchronized (SystemUtil.createToken("PhysicalClassLoader:load", name)) {
+		synchronized (getClassLoadingLock(name)) {
+			Class<?> clazz = findLoadedClass(name);
 			if (clazz == null) return _loadClass(name, barr, false);
 			return rename(clazz, barr);
 		}
@@ -331,7 +329,7 @@ protected Class<?> findClass(String name) throws ClassNotFoundException {
 			}
 		}
 
-		synchronized (SystemUtil.createToken("PhysicalClassLoader:load", name)) {
+		synchronized (getClassLoadingLock(name)) {
 			Resource res = directory.getRealResource(name.replace('.', '/').concat(".class"));
 			if (!res.isFile()) {
 				// if (cnfe != null) throw cnfe;
diff --git a/loader/build.xml b/loader/build.xml
@@ -2,7 +2,7 @@
 <project default="core" basedir="." name="Lucee" 
   xmlns:resolver="antlib:org.apache.maven.resolver.ant">
 
-  <property name="version" value="6.2.3.34-SNAPSHOT"/>
+  <property name="version" value="6.2.3.35-SNAPSHOT"/>
 
   <taskdef uri="antlib:org.apache.maven.resolver.ant" resource="org/apache/maven/resolver/ant/antlib.xml">
     <classpath>
diff --git a/loader/pom.xml b/loader/pom.xml
@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>6.2.3.34-SNAPSHOT</version>
+  <version>6.2.3.35-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>
diff --git a/test/tickets/LDEV5305.cfc b/test/tickets/LDEV5305.cfc
@@ -1,4 +1,4 @@
-component extends="org.lucee.cfml.test.LuceeTestCase" displayname="LDEV5305" skip=true {
+component extends="org.lucee.cfml.test.LuceeTestCase" displayname="LDEV5305" {
 
 	function beforeAll(){
 		variables.randomTestFiles = [];

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-component extends="org.lucee.cfml.test.LuceeTestCase" displayname="LDEV5305" skip=true {`
	`1`	`+component extends="org.lucee.cfml.test.LuceeTestCase" displayname="LDEV5305" {`
`2`	`2`
`3`	`3`	`function beforeAll(){`
`4`	`4`	`variables.randomTestFiles = [];`