You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bi...@apache.org on 2008/12/29 04:12:17 UTC
svn commit: r729825 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/coyote/http11/Http11Processor.java webapps/docs/changelog.xml
Author: billbarker
Date: Sun Dec 28 19:12:16 2008
New Revision: 729825
URL: http://svn.apache.org/viewvc?rev=729825&view=rev
Log:
Make certain that classes are first loaded by trusted code when working in a sandbox.
Remove vetoed proposal
comment on proposal
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Dec 28 19:12:16 2008
@@ -31,17 +31,6 @@
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=36155
- Port the fix from the JK Connector to the AJP and APR Connectors
- http://svn.apache.org/viewvc?rev=672454&view=rev
- +1: billbarker
- -1: remm: No, this gets called all the time, and we're trying to fix a small issue. The real
- solution would be to recycle the fields since as mentioned here it is the cause of
- the problem (the "local" fields will often never change, but there's no real
- guarantee overall - it mostly breaks down if there are multiple connectors, with AJP,
- and seems impossible to anticipate):
- https://issues.apache.org/bugzilla/show_bug.cgi?id=36155#c17
-
* Fix issue where the first request for a deleted JSPs returns as if the JSP
still exists.
http://svn.apache.org/viewvc?view=rev&revision=683969
@@ -235,6 +224,9 @@
http://svn.apache.org/viewvc?rev=721708&view=rev
http://svn.apache.org/viewvc?rev=721886&view=rev
+1: markt, fhanik
+ 0: billbarker: Haven't tried to break it yet, but the 4th patch potentially
+ offers access to static fields in ELContextImpl and ELResolverImpl that could
+ possibly be exploited by a malicious webapp.
-1:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44285
@@ -257,12 +249,6 @@
+1: markt, fhanik
-1:
-* Make certain that classes are first loaded by trusted code
- when working in a sandbox.
- http://svn.apache.org/viewvc?rev=729206&view=rev
- +1: billbarker, fhanik, markt
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46357
Correct test for host's parent must be an engine
http://svn.apache.org/viewvc?rev=729567&view=rev
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Sun Dec 28 19:12:16 2008
@@ -73,6 +73,8 @@
protected static StringManager sm =
StringManager.getManager(Constants.Package);
+ protected static boolean isSecurityEnabled =
+ org.apache.coyote.Constants.IS_SECURITY_ENABLED;
// ------------------------------------------------------------ Constructor
@@ -1560,7 +1562,7 @@
// Add date header
String date = null;
- if (org.apache.coyote.Constants.IS_SECURITY_ENABLED){
+ if (isSecurityEnabled){
date = (String)AccessController.doPrivileged(
new PrivilegedAction() {
public Object run(){
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=729825&r1=729824&r2=729825&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sun Dec 28 19:12:16 2008
@@ -242,6 +242,9 @@
<bug>46125</bug>: Return a status code of 400 if the request headers are
too large. (markt)
</fix>
+ <fix>
+ Make certain that classes are first loaded by trusted code when working in a sandbox. (billbarker)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r729825 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/coyote/http11/Http11Processor.java
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
billbarker@apache.org wrote:
> @@ -235,6 +224,9 @@
> http://svn.apache.org/viewvc?rev=721708&view=rev
> http://svn.apache.org/viewvc?rev=721886&view=rev
> +1: markt, fhanik
> + 0: billbarker: Haven't tried to break it yet, but the 4th patch potentially
> + offers access to static fields in ELContextImpl and ELResolverImpl that could
> + possibly be exploited by a malicious webapp.
Any thoughts on how to fix this? How about testing for a security manager and if
one is present creating new instances of NullFunctionMapper and DefaultResolver
rather than re-using the static ones?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org