You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/06/02 22:56:16 UTC
[tomcat] branch 8.5.x updated: Fix BZ 64488. Correct ImportHandler
failures under a security manager
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 1350860 Fix BZ 64488. Correct ImportHandler failures under a security manager
1350860 is described below
commit 1350860d9a5be290edf0439a0ba6c120f2a78bce
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jun 2 23:54:49 2020 +0100
Fix BZ 64488. Correct ImportHandler failures under a security manager
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488
Patch provided by Volodymyr Siedleck
---
java/javax/el/ImportHandler.java | 39 +++++++++++++++++++++++++++++++++++++--
webapps/docs/changelog.xml | 5 +++++
2 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/java/javax/el/ImportHandler.java b/java/javax/el/ImportHandler.java
index 151b3ab..636599b 100644
--- a/java/javax/el/ImportHandler.java
+++ b/java/javax/el/ImportHandler.java
@@ -19,6 +19,8 @@ package javax.el;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
@@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap;
*/
public class ImportHandler {
+ private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null);
+
private static final Map<String,Set<String>> standardPackages = new HashMap<>();
static {
@@ -451,8 +455,18 @@ public class ImportHandler {
* for the case where the class does exist is a lot less than the
* overhead we save by not calling loadClass().
*/
- if (cl.getResource(path) == null) {
- return null;
+ if (IS_SECURITY_ENABLED) {
+ // Webapps don't have read permission for JAVA_HOME (and
+ // possibly other sources of classes). Only need to know if the
+ // class exists at this point. Class loading occurs with
+ // standard SecurityManager policy next.
+ if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) {
+ return null;
+ }
+ } else {
+ if (cl.getResource(path) == null) {
+ return null;
+ }
}
} catch (ClassCircularityError cce) {
// May happen under a security manager. Ignore it and try loading
@@ -488,4 +502,25 @@ public class ImportHandler {
*/
private static class NotFound {
}
+
+
+ private static class PrivilegedResourceExists implements PrivilegedAction<Boolean> {
+
+ private final ClassLoader cl;
+ private final String name;
+
+ public PrivilegedResourceExists(ClassLoader cl, String name) {
+ this.cl = cl;
+ this.name = name;
+ }
+
+ @Override
+ public Boolean run() {
+ if (cl.getResource(name) == null) {
+ return Boolean.FALSE;
+ } else {
+ return Boolean.TRUE;
+ }
+ }
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 48ae17f..d8fb3c6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -93,6 +93,11 @@
endpoint path is specified and catch invalid endpoint paths earlier.
(markt)
</fix>
+ <fix>
+ <bug>64488</bug>: Ensure that the ImportHandler from the Expression
+ Language API is able to load classes from the Java runtime when running
+ under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org