You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/05/05 19:39:32 UTC
svn commit: r1831000 - in /tomcat/trunk: conf/catalina.policy java/org/apache/jasper/runtime/BodyContentImpl.java webapps/docs/changelog.xml

Author: markt
Date: Sat May  5 19:39:31 2018
New Revision: 1831000

URL: http://svn.apache.org/viewvc?rev=1831000&view=rev
Log:
Refactor org.apache.jasper.runtime.BodyContentImpl so an additional permission is not required in catalina.policy
This is a follow-up to the fix for 43925.

Modified:
    tomcat/trunk/conf/catalina.policy
    tomcat/trunk/java/org/apache/jasper/runtime/BodyContentImpl.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/catalina.policy
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1831000&r1=1830999&r2=1831000&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.policy (original)
+++ tomcat/trunk/conf/catalina.policy Sat May  5 19:39:31 2018
@@ -174,10 +174,6 @@ grant {
 
     // Precompiled JSPs need access to these system properties.
     permission java.util.PropertyPermission
-     "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE", "read";
-    permission java.util.PropertyPermission
-     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-    permission java.util.PropertyPermission
      "org.apache.el.parser.COERCE_TO_ZERO", "read";
 
     // The cookie code needs these.

Modified: tomcat/trunk/java/org/apache/jasper/runtime/BodyContentImpl.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/runtime/BodyContentImpl.java?rev=1831000&r1=1830999&r2=1831000&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/runtime/BodyContentImpl.java (original)
+++ tomcat/trunk/java/org/apache/jasper/runtime/BodyContentImpl.java Sat May  5 19:39:31 2018
@@ -21,6 +21,8 @@ import java.io.CharArrayReader;
 import java.io.IOException;
 import java.io.Reader;
 import java.io.Writer;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import javax.servlet.jsp.JspWriter;
 import javax.servlet.jsp.tagext.BodyContent;
@@ -39,13 +41,40 @@ import org.apache.jasper.Constants;
  */
 public class BodyContentImpl extends BodyContent {
 
-    private static final boolean LIMIT_BUFFER =
-            Boolean.parseBoolean(System.getProperty(
-                    "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "false"));
+    private static final boolean LIMIT_BUFFER;
+    private static final int TAG_BUFFER_SIZE;
 
-    private static final int TAG_BUFFER_SIZE =
-            Integer.getInteger("org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE",
+    static {
+        if (System.getSecurityManager() == null) {
+            LIMIT_BUFFER = Boolean.parseBoolean(System.getProperty(
+                    "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "false"));
+            TAG_BUFFER_SIZE = Integer.getInteger(
+                    "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE",
                     Constants.DEFAULT_TAG_BUFFER_SIZE).intValue();
+        } else {
+            LIMIT_BUFFER = AccessController.doPrivileged(
+                    new PrivilegedAction<Boolean>() {
+                        @Override
+                        public Boolean run() {
+                            return Boolean.valueOf(System.getProperty(
+                                    "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER",
+                                    "false"));
+                        }
+                    }
+            ).booleanValue();
+            TAG_BUFFER_SIZE = AccessController.doPrivileged(
+                    new PrivilegedAction<Integer>() {
+                        @Override
+                        public Integer run() {
+                            return Integer.getInteger(
+                                    "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE",
+                                    Constants.DEFAULT_TAG_BUFFER_SIZE);
+                        }
+                    }
+            ).intValue();
+        }
+    }
+
 
     private char[] cb;
     private int nextChar;

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1831000&r1=1830999&r2=1831000&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sat May  5 19:39:31 2018
@@ -87,11 +87,12 @@
   <subsection name="Jasper">
     <changelog>
       <fix>
-        <bug>62350</bug>: Amend <code>catalina.policy</code> file to allow
-        reading system property
-        <code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>
-        when running under a SecurityManager. This is a follow-up to
-        the fix for <bug>43925</bug>. (kkolinko)
+        <bug>62350</bug>: Refactor
+        <code>org.apache.jasper.runtime.BodyContentImpl</code> so a
+        <code>SecurityException</code> is not thrown when running under a
+        SecurityManger and additional permissions are not required in the
+        <code>catalina.policy</code> file. This is a follow-up to the fix for
+        <bug>43925</bug>. (kkolinko/markt)
       </fix>
     </changelog>
   </subsection>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org