You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/03/30 19:24:50 UTC
[tomcat] branch 10.0.x updated: Security hardening. Deprecate getResources() and always return null.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 8af3ae9 Security hardening. Deprecate getResources() and always return null.
8af3ae9 is described below
commit 8af3ae9fdc3d4a06ccafbde0d7fc441dd9e64bfe
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 30 20:22:49 2022 +0100
Security hardening. Deprecate getResources() and always return null.
This method is never used by Tomcat. If something accidently exposes the
class loader then this method can be used to gain access to Tomcat
internals.
---
java/org/apache/catalina/loader/WebappClassLoaderBase.java | 7 ++++++-
webapps/docs/changelog.xml | 10 ++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 00e4fc3..5e579b3 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -427,10 +427,15 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
// ------------------------------------------------------------- Properties
/**
+ * Unused. Always returns {@code null}.
+ *
* @return associated resources.
+ *
+ * @deprecated This will be removed in Tomcat 10.1.x onwards
*/
+ @Deprecated
public WebResourceRoot getResources() {
- return this.resources;
+ return null;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index afb1ff6..512eec7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,16 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 10.0.20 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <add>
+ Effectively disable the
+ <code>WebappClassLoaderBase.getResources()</code> method as it is not
+ used and if something accidently exposes the class loader this method
+ can be used to gain access to Tomcat internals. (markt)
+ </add>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 10.0.19 (markt)" rtext="release in progress">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org