You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/02 22:55:18 UTC
[tomcat] branch master updated: Fix BZ 64488. Correct ImportHandler
failures under a security manager
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new d2e079f Fix BZ 64488. Correct ImportHandler failures under a security manager
d2e079f is described below
commit d2e079ff75cba8c1936874e7f1a8244de08d67f2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 2 23:54:49 2020 +0100
Fix BZ 64488. Correct ImportHandler failures under a security manager
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488
Patch provided by Volodymyr Siedleck
---
java/jakarta/el/ImportHandler.java | 39 ++++++++++++++++++++++++++++++++++++--
webapps/docs/changelog.xml | 5 +++++
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/java/jakarta/el/ImportHandler.java b/java/jakarta/el/ImportHandler.java
index 1e7e9b9..c4d62d2 100644
--- a/java/jakarta/el/ImportHandler.java
+++ b/java/jakarta/el/ImportHandler.java
@@ -19,6 +19,8 @@ package jakarta.el;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
@@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap;
*/
public class ImportHandler {
+ private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null);
+
private static final Map<String,Set<String>> standardPackages = new HashMap<>();
static {
@@ -452,8 +456,18 @@ public class ImportHandler {
* for the case where the class does exist is a lot less than the
* overhead we save by not calling loadClass().
*/
- if (cl.getResource(path) == null) {
- return null;
+ if (IS_SECURITY_ENABLED) {
+ // Webapps don't have read permission for JAVA_HOME (and
+ // possibly other sources of classes). Only need to know if the
+ // class exists at this point. Class loading occurs with
+ // standard SecurityManager policy next.
+ if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) {
+ return null;
+ }
+ } else {
+ if (cl.getResource(path) == null) {
+ return null;
+ }
}
} catch (ClassCircularityError cce) {
// May happen under a security manager. Ignore it and try loading
@@ -489,4 +503,25 @@ public class ImportHandler {
*/
private static class NotFound {
}
+
+
+ private static class PrivilegedResourceExists implements PrivilegedAction<Boolean> {
+
+ private final ClassLoader cl;
+ private final String name;
+
+ public PrivilegedResourceExists(ClassLoader cl, String name) {
+ this.cl = cl;
+ this.name = name;
+ }
+
+ @Override
+ public Boolean run() {
+ if (cl.getResource(name) == null) {
+ return Boolean.FALSE;
+ } else {
+ return Boolean.TRUE;
+ }
+ }
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b6d47ce..b3c1546 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,6 +119,11 @@
endpoint path is specified and catch invalid endpoint paths earlier.
(markt)
</fix>
+ <fix>
+ <bug>64488</bug>: Ensure that the ImportHandler from the Expression
+ Language API is able to load classes from the Java runtime when running
+ under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org