You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/03/30 19:24:50 UTC

[tomcat] branch 10.0.x updated: Security hardening. Deprecate getResources() and always return null.

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new 8af3ae9  Security hardening. Deprecate getResources() and always return null.
8af3ae9 is described below

commit 8af3ae9fdc3d4a06ccafbde0d7fc441dd9e64bfe
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 30 20:22:49 2022 +0100

    Security hardening. Deprecate getResources() and always return null.
    
    This method is never used by Tomcat. If something accidently exposes the
    class loader then this method can be used to gain access to Tomcat
    internals.
---
 java/org/apache/catalina/loader/WebappClassLoaderBase.java |  7 ++++++-
 webapps/docs/changelog.xml                                 | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 00e4fc3..5e579b3 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -427,10 +427,15 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
     // ------------------------------------------------------------- Properties
 
     /**
+     * Unused. Always returns {@code null}.
+     *
      * @return associated resources.
+     *
+     * @deprecated This will be removed in Tomcat 10.1.x onwards
      */
+    @Deprecated
     public WebResourceRoot getResources() {
-        return this.resources;
+        return null;
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index afb1ff6..512eec7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,16 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 10.0.20 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <add>
+         Effectively disable the
+         <code>WebappClassLoaderBase.getResources()</code> method as it is not
+         used and if something accidently exposes the class loader this method
+         can be used to gain access to Tomcat internals. (markt)
+      </add>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 10.0.19 (markt)" rtext="release in progress">
   <subsection name="Catalina">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org