You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/04/05 15:58:54 UTC
svn commit: r1790294 - in /tomcat/trunk/java/org/apache/catalina:
connector/Response.java security/SecurityClassLoad.java
Author: markt
Date: Wed Apr 5 15:58:54 2017
New Revision: 1790294
URL: http://svn.apache.org/viewvc?rev=1790294&view=rev
Log:
Partial fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=47214
Replace explicitly referenced anonymous inner classes in Response with named inner classes.
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Response.java
tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=1790294&r1=1790293&r2=1790294&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Wed Apr 5 15:58:54 2017
@@ -982,12 +982,8 @@ public class Response implements HttpSer
// Web application code can receive a IllegalArgumentException
// from the generateHeader() invocation
if (SecurityUtil.isPackageProtectionEnabled()) {
- return AccessController.doPrivileged(new PrivilegedAction<String>() {
- @Override
- public String run(){
- return getContext().getCookieProcessor().generateHeader(cookie);
- }
- });
+ return AccessController.doPrivileged(
+ new PrivilegedGenerateCookieString(getContext(), cookie));
} else {
return getContext().getCookieProcessor().generateHeader(cookie);
}
@@ -1492,7 +1488,6 @@ public class Response implements HttpSer
// ------------------------------------------------------ Protected Methods
-
/**
* Return <code>true</code> if the specified URL should be encoded with
* a session identifier. This will be true if all of the following
@@ -1535,20 +1530,16 @@ public class Response implements HttpSer
}
if (SecurityUtil.isPackageProtectionEnabled()) {
- return (
- AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
-
- @Override
- public Boolean run(){
- return Boolean.valueOf(doIsEncodeable(hreq, session, location));
- }
- })).booleanValue();
+ Boolean result = AccessController.doPrivileged(
+ new PrivilegedDoIsEncodable(getContext(), hreq, session, location));
+ return result.booleanValue();
} else {
- return doIsEncodeable(hreq, session, location);
+ return doIsEncodeable(getContext(), hreq, session, location);
}
}
- private boolean doIsEncodeable(Request hreq, Session session,
+
+ private static boolean doIsEncodeable(Context context, Request hreq, Session session,
String location) {
// Is this a valid absolute URL?
URL url = null;
@@ -1585,15 +1576,14 @@ public class Response implements HttpSer
return false;
}
- String contextPath = getContext().getPath();
+ String contextPath = context.getPath();
if (contextPath != null) {
String file = url.getFile();
if (!file.startsWith(contextPath)) {
return false;
}
- String tok = ";" +
- SessionConfig.getSessionUriParamName(request.getContext()) +
- "=" + session.getIdInternal();
+ String tok = ";" + SessionConfig.getSessionUriParamName(context) + "=" +
+ session.getIdInternal();
if( file.indexOf(tok, contextPath.length()) >= 0 ) {
return false;
}
@@ -1663,17 +1653,10 @@ public class Response implements HttpSer
String relativePath = request.getDecodedRequestURI();
int pos = relativePath.lastIndexOf('/');
CharChunk encodedURI = null;
- final String frelativePath = relativePath;
- final int fend = pos;
if (SecurityUtil.isPackageProtectionEnabled() ){
try{
encodedURI = AccessController.doPrivileged(
- new PrivilegedExceptionAction<CharChunk>(){
- @Override
- public CharChunk run() throws IOException{
- return urlEncoder.encodeURL(frelativePath, 0, fend);
- }
- });
+ new PrivilgedEncodeUrl(urlEncoder, relativePath, pos));
} catch (PrivilegedActionException pae){
IllegalArgumentException iae =
new IllegalArgumentException(location);
@@ -1861,4 +1844,62 @@ public class Response implements HttpSer
return (sb.toString());
}
+
+
+ private static class PrivilegedGenerateCookieString implements PrivilegedAction<String> {
+
+ private final Context context;
+ private final Cookie cookie;
+
+ public PrivilegedGenerateCookieString(Context context, Cookie cookie) {
+ this.context = context;
+ this.cookie = cookie;
+ }
+
+ @Override
+ public String run(){
+ return context.getCookieProcessor().generateHeader(cookie);
+ }
+ }
+
+
+ private static class PrivilegedDoIsEncodable implements PrivilegedAction<Boolean> {
+
+ private final Context context;
+ private final Request hreq;
+ private final Session session;
+ private final String location;
+
+ public PrivilegedDoIsEncodable(Context context, Request hreq, Session session,
+ String location) {
+ this.context = context;
+ this.hreq = hreq;
+ this.session = session;
+ this.location = location;
+ }
+
+ @Override
+ public Boolean run(){
+ return Boolean.valueOf(doIsEncodeable(context, hreq, session, location));
+ }
+ }
+
+
+ private static class PrivilgedEncodeUrl implements PrivilegedExceptionAction<CharChunk> {
+
+ private final UEncoder urlEncoder;
+ private final String relativePath;
+ private final int end;
+
+ public PrivilgedEncodeUrl(UEncoder urlEncoder, String relativePath, int end) {
+ this.urlEncoder = urlEncoder;
+ this.relativePath = relativePath;
+ this.end = end;
+ }
+
+ @Override
+ public CharChunk run() throws IOException{
+ return urlEncoder.encodeURL(relativePath, 0, end);
+ }
+ }
}
Modified: tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=1790294&r1=1790293&r2=1790294&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java (original)
+++ tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java Wed Apr 5 15:58:54 2017
@@ -257,13 +257,13 @@ public final class SecurityClassLoad {
"InputBuffer$PrivilegedCreateConverter");
loader.loadClass
(basePackage +
- "Response$1");
+ "Response$PrivilegedDoIsEncodable");
loader.loadClass
(basePackage +
- "Response$2");
+ "Response$PrivilegedGenerateCookieString");
loader.loadClass
(basePackage +
- "Response$3");
+ "Response$PrivilgedEncodeUrl");
}
private static final void loadTomcatPackage(ClassLoader loader)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org