You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bi...@apache.org on 2008/12/29 04:12:17 UTC

svn commit: r729825 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/coyote/http11/Http11Processor.java webapps/docs/changelog.xml

Author: billbarker
Date: Sun Dec 28 19:12:16 2008
New Revision: 729825

URL: http://svn.apache.org/viewvc?rev=729825&view=rev
Log:
Make certain that classes are first loaded by trusted code  when working in a sandbox.

Remove vetoed proposal
comment on proposal

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Dec 28 19:12:16 2008
@@ -31,17 +31,6 @@
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-*  Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=36155
-   Port the fix from the JK Connector to the AJP and APR Connectors
-   http://svn.apache.org/viewvc?rev=672454&view=rev
-   +1: billbarker
-   -1: remm: No, this gets called all the time, and we're trying to fix a small issue. The real
-             solution would be to recycle the fields since as mentioned here it is the cause of 
-             the problem (the "local" fields will often never change, but there's no real 
-             guarantee overall - it mostly breaks down if there are multiple connectors, with AJP,
-             and seems impossible to anticipate):
-             https://issues.apache.org/bugzilla/show_bug.cgi?id=36155#c17
-
 * Fix issue where the first request for a deleted JSPs returns as if the JSP
   still exists.
   http://svn.apache.org/viewvc?view=rev&revision=683969
@@ -235,6 +224,9 @@
   http://svn.apache.org/viewvc?rev=721708&view=rev
   http://svn.apache.org/viewvc?rev=721886&view=rev
   +1: markt, fhanik
+   0: billbarker: Haven't tried to break it yet, but the 4th patch potentially
+      offers access to static fields in ELContextImpl and ELResolverImpl that could 
+      possibly be exploited by a malicious webapp.
   -1: 
 
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
@@ -257,12 +249,6 @@
   +1: markt, fhanik
   -1: 
 
-* Make certain that classes are first loaded by trusted code
-  when working in a sandbox.
-  http://svn.apache.org/viewvc?rev=729206&view=rev
-  +1: billbarker, fhanik, markt
-  -1:   
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46357
   Correct test for host's parent must be an engine
   http://svn.apache.org/viewvc?rev=729567&view=rev

Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Sun Dec 28 19:12:16 2008
@@ -73,6 +73,8 @@
     protected static StringManager sm =
         StringManager.getManager(Constants.Package);
 
+    protected static boolean isSecurityEnabled = 
+	org.apache.coyote.Constants.IS_SECURITY_ENABLED;
 
     // ------------------------------------------------------------ Constructor
 
@@ -1560,7 +1562,7 @@
 
         // Add date header
         String date = null;
-        if (org.apache.coyote.Constants.IS_SECURITY_ENABLED){
+        if (isSecurityEnabled){
             date = (String)AccessController.doPrivileged(
                     new PrivilegedAction() {
                         public Object run(){

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Dec 28 19:12:16 2008
@@ -242,6 +242,9 @@
         <bug>46125</bug>: Return a status code of 400 if the request headers are
         too large. (markt)
       </fix>
+      <fix>
+       Make certain that classes are first loaded by trusted code when working in a sandbox. (billbarker)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r729825 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/coyote/http11/Http11Processor.java webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

billbarker@apache.org wrote:
> @@ -235,6 +224,9 @@
>    http://svn.apache.org/viewvc?rev=721708&view=rev
>    http://svn.apache.org/viewvc?rev=721886&view=rev
>    +1: markt, fhanik
> +   0: billbarker: Haven't tried to break it yet, but the 4th patch potentially
> +      offers access to static fields in ELContextImpl and ELResolverImpl that could 
> +      possibly be exploited by a malicious webapp.

Any thoughts on how to fix this? How about testing for a security manager and if
 one is present creating new instances of NullFunctionMapper and DefaultResolver
rather than re-using the static ones?

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org