You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/03/30 19:26:14 UTC
[tomcat] branch 8.5.x updated: Security hardening. Deprecate getResources() and always return null.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 530108c Security hardening. Deprecate getResources() and always return null.
530108c is described below
commit 530108cb568ba7bb51594d0ecfc2421db2e4bf53
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 30 20:22:49 2022 +0100
Security hardening. Deprecate getResources() and always return null.
This method is never used by Tomcat. If something accidently exposes the
class loader then this method can be used to gain access to Tomcat
internals.
---
java/org/apache/catalina/loader/WebappClassLoaderBase.java | 7 ++++++-
webapps/docs/changelog.xml | 6 ++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 3d0ac44..e6d0707 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -431,10 +431,15 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
// ------------------------------------------------------------- Properties
/**
+ * Unused. Always returns {@code null}.
+ *
* @return associated resources.
+ *
+ * @deprecated This will be removed in Tomcat 10.1.x onwards
*/
+ @Deprecated
public WebResourceRoot getResources() {
- return this.resources;
+ return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3c4c4d1..c9c2ab1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -116,6 +116,12 @@
Harden the CredentialHandler implementations by switching to a
constant-time implementation for credential comparisons. (schultz/markt)
</scode>
+ <add>
+ Effectively disable the
+ <code>WebappClassLoaderBase.getResources()</code> method as it is not
+ used and if something accidently exposes the class loader this method
+ can be used to gain access to Tomcat internals. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org