You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jb...@apache.org on 2015/02/10 17:32:13 UTC
svn commit: r1658754 - in /tomcat/taglibs/standard/trunk: ./
impl/src/main/java/org/apache/taglibs/standard/util/
impl/src/test/java/org/apache/taglibs/standard/util/
Author: jboynes
Date: Tue Feb 10 16:32:13 2015
New Revision: 1658754
URL: http://svn.apache.org/r1658754
Log:
Check protocol when resolving on older JREs
Added:
tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java (with props)
Modified:
tomcat/taglibs/standard/trunk/CHANGES.txt
tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java
tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
Modified: tomcat/taglibs/standard/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/CHANGES.txt?rev=1658754&r1=1658753&r2=1658754&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/CHANGES.txt (original)
+++ tomcat/taglibs/standard/trunk/CHANGES.txt Tue Feb 10 16:32:13 2015
@@ -1,8 +1,9 @@
Changes in 1.2.3 release
-57547 Fix regression with running on older JREs
-57548 Update library version number printed by Version class
+57560 Check protocol when resolving on older JREs
57549 Fix reference to old SNAPSHOT version of taglibs-build-tools in pom files.
+57548 Update library version number printed by Version class
+57547 Fix regression with running on older JREs
Changes in 1.2.2 release [WITHDRAWN due to regressions in older JREs]
Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java?rev=1658754&r1=1658753&r2=1658754&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java (original)
+++ tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java Tue Feb 10 16:32:13 2015
@@ -77,4 +77,19 @@ public class UrlUtil {
// if so, we've got an absolute url
return true;
}
+
+ public static String getScheme(CharSequence url) {
+ StringBuilder scheme = new StringBuilder();
+ for (int i = 0; i < url.length(); i++) {
+ char ch = url.charAt(i);
+ if (ch == ':') {
+ String result = scheme.toString();
+ if (!"jar".equals(result)) {
+ return result;
+ }
+ }
+ scheme.append(ch);
+ }
+ throw new IllegalArgumentException("No scheme found: " + url);
+ }
}
Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java?rev=1658754&r1=1658753&r2=1658754&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java (original)
+++ tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java Tue Feb 10 16:32:13 2015
@@ -20,6 +20,7 @@ import java.io.FileNotFoundException;
import java.io.InputStream;
import java.io.Reader;
import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.concurrent.Callable;
@@ -111,6 +112,27 @@ public class XmlUtil {
}
}
+ private static final String SP_ALLOWED_PROTOCOLS = "org.apache.taglibs.standard.xml.accessExternalEntity";
+ private static final String ALLOWED_PROTOCOLS = AccessController.doPrivileged(new PrivilegedAction<String>() {
+ public String run() {
+ String defaultProtocols = System.getSecurityManager() == null ? "all" : "";
+ return System.getProperty(SP_ALLOWED_PROTOCOLS, defaultProtocols);
+ }
+ });
+
+ static void checkProtocol(String allowedProtocols, String uri) {
+ if ("all".equalsIgnoreCase(allowedProtocols)) {
+ return;
+ }
+ String protocol = UrlUtil.getScheme(uri);
+ for (String allowed : allowedProtocols.split(",")) {
+ if (allowed.trim().equalsIgnoreCase(protocol)) {
+ return;
+ }
+ }
+ throw new SecurityException("Access to external URI not allowed: " + uri);
+ }
+
/**
* Create a new empty document.
*
@@ -219,7 +241,7 @@ public class XmlUtil {
}
/**
- * JSTL-specific implementation of EntityResolver.
+ * JSTL-specific implementation of EntityResolver, used by parsers.
*/
public static class JstlEntityResolver implements EntityResolver {
private final PageContext ctx;
@@ -242,6 +264,7 @@ public class XmlUtil {
// we're only concerned with relative URLs
if (UrlUtil.isAbsoluteUrl(systemId)) {
+ checkProtocol(ALLOWED_PROTOCOLS, systemId);
return null;
}
@@ -264,7 +287,7 @@ public class XmlUtil {
}
/**
- * JSTL-specific implementation of URIResolver.
+ * JSTL-specific implementation of URIResolver, used by transformers.
*/
public static class JstlUriResolver implements URIResolver {
private final PageContext ctx;
@@ -289,8 +312,12 @@ public class XmlUtil {
}
// we're only concerned with relative URLs
- if (UrlUtil.isAbsoluteUrl(href)
- || (base != null && UrlUtil.isAbsoluteUrl(base))) {
+ if (UrlUtil.isAbsoluteUrl(href)) {
+ checkProtocol(ALLOWED_PROTOCOLS, href);
+ return null;
+ }
+ if (base != null && UrlUtil.isAbsoluteUrl(base)) {
+ checkProtocol(ALLOWED_PROTOCOLS, base);
return null;
}
Added: tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java?rev=1658754&view=auto
==============================================================================
--- tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java (added)
+++ tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java Tue Feb 10 16:32:13 2015
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.taglibs.standard.util;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+
+public class XmlUtilTest {
+
+ @Rule
+ public ExpectedException thrown = ExpectedException.none();
+
+ @Test
+ public void anyProtocolAllowedForAll() {
+ XmlUtil.checkProtocol("all", "http://example.com/foo.xml");
+ }
+
+ @Test
+ public void standardSchemesAllowed() {
+ XmlUtil.checkProtocol("http,jar:file,file", "http://example.com/foo.xml");
+ XmlUtil.checkProtocol("http,jar:file,file", "file:///tmp/file");
+ XmlUtil.checkProtocol("http,jar:file,file", "jar:file:///tmp/file.jar!/entry.xml");
+ }
+
+ @Test
+ public void notAllowedForEmptyString() {
+ thrown.expect(SecurityException.class);
+ XmlUtil.checkProtocol("", "http://example.com/foo.xml");
+ }
+
+ @Test
+ public void notAllowed() {
+ thrown.expect(SecurityException.class);
+ XmlUtil.checkProtocol("http,file", "https://example.com/foo.xml");
+ }
+}
Propchange: tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java
------------------------------------------------------------------------------
svn:eol-style = native
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1658754 - in /tomcat/taglibs/standard/trunk: ./
impl/src/main/java/org/apache/taglibs/standard/util/ impl/src/test/java/org/apache/taglibs/standard/util/
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-02-10 19:32 GMT+03:00 <jb...@apache.org>:
> Author: jboynes
> Date: Tue Feb 10 16:32:13 2015
> New Revision: 1658754
>
> URL: http://svn.apache.org/r1658754
> Log:
> Check protocol when resolving on older JREs
>
> Added:
> tomcat/taglibs/standard/trunk/impl/src/test/java/org/apache/taglibs/standard/util/XmlUtilTest.java (with props)
> Modified:
> tomcat/taglibs/standard/trunk/CHANGES.txt
> tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java
> tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/XmlUtil.java
> Modified: tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java
> URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java?rev=1658754&r1=1658753&r2=1658754&view=diff
> ==============================================================================
> --- tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java (original)
> +++ tomcat/taglibs/standard/trunk/impl/src/main/java/org/apache/taglibs/standard/util/UrlUtil.java Tue Feb 10 16:32:13 2015
> @@ -77,4 +77,19 @@ public class UrlUtil {
> // if so, we've got an absolute url
> return true;
> }
> +
> + public static String getScheme(CharSequence url) {
This method is only used with a String argument.
For a String it would be easier to use indexOf(':'),
though it does special processing for "jar" protocol.
> + StringBuilder scheme = new StringBuilder();
> + for (int i = 0; i < url.length(); i++) {
> + char ch = url.charAt(i);
> + if (ch == ':') {
> + String result = scheme.toString();
> + if (!"jar".equals(result)) {
> + return result;
> + }
> + }
> + scheme.append(ch);
> + }
> + throw new IllegalArgumentException("No scheme found: " + url);
> + }
> }
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org