You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/10/16 08:09:53 UTC
[tomcat] 01/03: Refactor to remove the need for explicit property
permissions for Cookie code
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a7b91e1a0f4fa57f50d8103417a6a3f6d5f50ea8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sat May 5 20:21:21 2018 +0000
Refactor to remove the need for explicit property permissions for Cookie code
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1831003 13f79535-47bb-0310-9956-ffa450edef68
---
conf/catalina.policy | 8 ---
java/javax/servlet/http/Cookie.java | 72 +++++++++++++++++-----
.../servlet/http/TestCookieRFC2109Validator.java | 5 +-
3 files changed, 58 insertions(+), 27 deletions(-)
diff --git a/conf/catalina.policy b/conf/catalina.policy
index ffa348d..0567324 100644
--- a/conf/catalina.policy
+++ b/conf/catalina.policy
@@ -172,14 +172,6 @@ grant {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
- // The cookie code needs these.
- permission java.util.PropertyPermission
- "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
- permission java.util.PropertyPermission
- "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
- permission java.util.PropertyPermission
- "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
-
// Applications using WebSocket need to be able to access these packages
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
diff --git a/java/javax/servlet/http/Cookie.java b/java/javax/servlet/http/Cookie.java
index fc2cb89..1ee31d4 100644
--- a/java/javax/servlet/http/Cookie.java
+++ b/java/javax/servlet/http/Cookie.java
@@ -17,6 +17,8 @@
package javax.servlet.http;
import java.io.Serializable;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.text.MessageFormat;
import java.util.BitSet;
import java.util.Locale;
@@ -54,19 +56,66 @@ import java.util.ResourceBundle;
public class Cookie implements Cloneable, Serializable {
private static final CookieNameValidator validation;
+
static {
+ boolean strictServletCompliance;
boolean strictNaming;
- String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
- if (prop != null) {
- strictNaming = Boolean.parseBoolean(prop);
+ boolean allowSlash;
+ String propStrictNaming;
+ String propFwdSlashIsSeparator;
+
+ if (System.getSecurityManager() == null) {
+ strictServletCompliance = Boolean.getBoolean(
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
+ propStrictNaming = System.getProperty(
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
+ propFwdSlashIsSeparator = System.getProperty(
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
} else {
- strictNaming = Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
+ strictServletCompliance = AccessController.doPrivileged(
+ new PrivilegedAction<Boolean>() {
+ @Override
+ public Boolean run() {
+ return Boolean.valueOf(System.getProperty(
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE"));
+ }
+ }
+ ).booleanValue();
+ propStrictNaming = AccessController.doPrivileged(
+ new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return System.getProperty(
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
+ }
+ }
+ );
+ propFwdSlashIsSeparator = AccessController.doPrivileged(
+ new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return System.getProperty(
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
+ }
+ }
+ );
}
- if (strictNaming) {
- validation = new RFC2109Validator();
+ if (propStrictNaming == null) {
+ strictNaming = strictServletCompliance;
+ } else {
+ strictNaming = Boolean.parseBoolean(propStrictNaming);
+ }
+
+ if (propFwdSlashIsSeparator == null) {
+ allowSlash = !strictServletCompliance;
+ } else {
+ allowSlash = !Boolean.parseBoolean(propFwdSlashIsSeparator);
}
- else {
+
+ if (strictNaming) {
+ validation = new RFC2109Validator(allowSlash);
+ } else {
validation = new RFC6265Validator();
}
}
@@ -428,15 +477,8 @@ class RFC6265Validator extends CookieNameValidator {
}
class RFC2109Validator extends RFC6265Validator {
- RFC2109Validator() {
+ RFC2109Validator(boolean allowSlash) {
// special treatment to allow for FWD_SLASH_IS_SEPARATOR property
- boolean allowSlash;
- String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
- if (prop != null) {
- allowSlash = !Boolean.parseBoolean(prop);
- } else {
- allowSlash = !Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
- }
if (allowSlash) {
allowed.set('/');
}
diff --git a/test/javax/servlet/http/TestCookieRFC2109Validator.java b/test/javax/servlet/http/TestCookieRFC2109Validator.java
index 18bc062..1a2b136 100644
--- a/test/javax/servlet/http/TestCookieRFC2109Validator.java
+++ b/test/javax/servlet/http/TestCookieRFC2109Validator.java
@@ -22,11 +22,8 @@ import org.junit.Test;
* Basic tests for Cookie in default configuration.
*/
public class TestCookieRFC2109Validator {
- static {
- System.setProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "true");
- }
- private RFC2109Validator validator = new RFC2109Validator();
+ private RFC2109Validator validator = new RFC2109Validator(false);
@Test
public void actualCharactersAllowedInName() {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org