[jboss-cvs] JBossAS SVN: r114523 - in branches/JBPAPP_5_0_1_JBPAPP-10871: cluster/src/main/org/jboss/ha/framework/server and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Oct 7 03:19:28 EDT 2013
Author: jiwils
Date: 2013-10-07 03:19:28 -0400 (Mon, 07 Oct 2013)
New Revision: 114523
Added:
branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/HARMIServerGuard.java
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/build.xml
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/etc/
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-2.0.4.SP3.jar
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-client-2.0.4.SP3.jar
branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jnpserver-5.0.3.GA.jar
Modified:
branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/framework/server/HARMIServerImpl.java
branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/DetachedHANamingService.java
Log:
JBPAPP-10817 - Added fixes for CVE-2011-4605 *minus* HTTP invoker and testsuite changes.
Modified: branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/framework/server/HARMIServerImpl.java
===================================================================
--- branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/framework/server/HARMIServerImpl.java 2013-10-03 03:39:56 UTC (rev 114522)
+++ branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/framework/server/HARMIServerImpl.java 2013-10-07 07:19:28 UTC (rev 114523)
@@ -33,6 +33,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.naming.NoPermissionException;
import org.jboss.ha.client.loadbalance.LoadBalancePolicy;
import org.jboss.ha.framework.interfaces.HAPartition;
@@ -43,6 +44,8 @@
import org.jboss.invocation.MarshalledInvocation;
import org.jboss.logging.Logger;
import org.jboss.net.sockets.DefaultSocketFactory;
+import org.jboss.ha.jndi.HARMIServerGuard;
+import org.jnp.server.NamingServerGuard;
/**
* This class is a <em>server-side</em> proxy for replicated RMI objects.
@@ -197,6 +200,14 @@
mi.setMethodMap(invokerMap);
Method method = mi.getMethod();
+ log.info("RMI local invocation =" + mi.isLocal());
+ if (NamingServerGuard.GUARDED_JNDI_METHOD_NAMES.indexOf(method.getName()) != -1)
+ {
+ throw new NoPermissionException(method.getName() +
+ " JNDI operation not allowed when on non-local invocation.");
+ }
+
+
try
{
HARMIResponse rsp = new HARMIResponse();
Modified: branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/DetachedHANamingService.java
===================================================================
--- branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/DetachedHANamingService.java 2013-10-03 03:39:56 UTC (rev 114522)
+++ branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/DetachedHANamingService.java 2013-10-07 07:19:28 UTC (rev 114523)
@@ -42,6 +42,7 @@
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
+import javax.naming.NoPermissionException;
import javax.management.ObjectName;
import javax.net.ServerSocketFactory;
@@ -57,6 +58,7 @@
import org.jboss.util.threadpool.ThreadPool;
import org.jnp.interfaces.Naming;
import org.jnp.interfaces.NamingContext;
+import org.jnp.server.NamingServerGuard;
/**
* Management Bean for the protocol independent HA-JNDI service. This allows the
@@ -441,6 +443,14 @@
Method method = invocation.getMethod();
Object[] args = invocation.getArguments();
Object value = null;
+
+ log.info("DETACHED local invocation =" + invocation.isLocal());
+ if (!invocation.isLocal()
+ && NamingServerGuard.GUARDED_JNDI_METHOD_NAMES.indexOf(method.getName()) != -1) {
+ throw new NoPermissionException(method.getName() +
+ " JNDI operation not allowed when on non-local invocation.");
+ }
+
try
{
value = method.invoke(this.theServer, args);
Copied: branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/HARMIServerGuard.java (from rev 114522, tags/JBPAPP_5_1_2_GA_CVE_JBPAPP-7788_JBPAPP-8432/cluster/src/main/org/jboss/ha/jndi/HARMIServerGuard.java)
===================================================================
--- branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/HARMIServerGuard.java (rev 0)
+++ branches/JBPAPP_5_0_1_JBPAPP-10871/cluster/src/main/org/jboss/ha/jndi/HARMIServerGuard.java 2013-10-07 07:19:28 UTC (rev 114523)
@@ -0,0 +1,90 @@
+ /*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.ha.jndi;
+
+import java.io.Serializable;
+import java.lang.reflect.Method;
+import java.rmi.server.RemoteStub;
+import java.util.List;
+
+import javax.naming.NoPermissionException;
+
+import org.jboss.ha.framework.interfaces.HARMIResponse;
+import org.jboss.ha.framework.interfaces.HARMIServer;
+import org.jboss.invocation.MarshalledInvocation;
+import org.jboss.logging.Logger;
+import org.jnp.server.NamingServerGuard;
+
+
+/**
+ * Object to register instead of original object.
+ * It will guard certain invocations see invoke method.
+ *
+ * @author <a href="mailto:pskopek at redhat.com">Peter Skopek</a>
+ *
+ */
+public class HARMIServerGuard implements HARMIServer, Serializable
+{
+
+ private static Logger log = Logger.getLogger(HARMIServerGuard.class);
+
+ private HARMIServer guardedHARMIServer;
+
+ public HARMIServerGuard(HARMIServer guardedHARMIServer)
+ {
+ this.guardedHARMIServer = guardedHARMIServer;
+ }
+
+ /* (non-Javadoc)
+ * @see org.jboss.ha.framework.interfaces.HARMIServer#invoke(long, org.jboss.invocation.MarshalledInvocation)
+ */
+ public HARMIResponse invoke(long tag, MarshalledInvocation mi)
+ throws Exception
+ {
+ log.info("RMI local invocation =" + mi.isLocal());
+ Method method = mi.getMethod();
+ if (NamingServerGuard.GUARDED_JNDI_METHOD_NAMES.indexOf(method.getName()) != -1) {
+ throw new NoPermissionException(method.getName() +
+ " JNDI operation not allowed when on non-local invocation.");
+ }
+
+ return guardedHARMIServer.invoke(tag, mi);
+ }
+
+ /* (non-Javadoc)
+ * @see org.jboss.ha.framework.interfaces.HARMIServer#getReplicants()
+ */
+ public List getReplicants() throws Exception
+ {
+ return guardedHARMIServer.getReplicants();
+ }
+
+ /* (non-Javadoc)
+ * @see org.jboss.ha.framework.interfaces.HARMIServer#getLocal()
+ */
+ public Object getLocal() throws Exception
+ {
+ return guardedHARMIServer.getLocal();
+ }
+
+}
Added: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/build.xml
===================================================================
--- branches/JBPAPP_5_0_1_JBPAPP-10871/patch/build.xml (rev 0)
+++ branches/JBPAPP_5_0_1_JBPAPP-10871/patch/build.xml 2013-10-07 07:19:28 UTC (rev 114523)
@@ -0,0 +1,90 @@
+<project name="JBPAPP-10871 Build" default="build" basedir=".">
+
+<!-- Directories utilized by the build ************************************* -->
+<property name="dist.dir" value="${basedir}/dist"/>
+<property name="eap.build.dir" value="${basedir}/../build"/>
+<property name="eap.build.output.dir" value="${eap.build.dir}/output/jboss-5.0.1."/>
+<property name="patch.etc.dir" value="${basedir}/etc"/>
+<property name="patch.lib.dir" value="${basedir}/lib"/>
+
+<!-- Public targets ******************************************************** -->
+
+<target name="clean"
+ description="removes the directories/files created by the build">
+
+ <delete includeEmptyDirs="true"
+ failonerror="false">
+ <fileset dir="${dist.dir}"/>
+ </delete>
+</target>
+
+<target name="build-eap"
+ description="builds EAP for JBPAPP-10871"
+ depends="require-java6, update-jnpserver.jar">
+
+ <exec executable="./build.sh" dir="${eap.build.dir}"/>
+</target>
+
+<target name="package"
+ description="packages the JBPAPP-10871 patch distribution"
+ depends="mkdir-dist">
+
+ <mkdir dir="${dist.dir}/JBPAPP-10871"/>
+
+ <echo message="Extracting updated JARs..."/>
+
+ <copy file="${eap.build.output.dir}/common/lib/jbossha.jar"
+ todir="${dist.dir}/JBPAPP-10871"/>
+
+ <echo message="Extracting updated subcomponents..."/>
+
+ <copy file="${patch.lib.dir}/jnpserver-5.0.3.GA.jar"
+ tofile="${dist.dir}/JBPAPP-10871/jnpserver.jar"/>
+
+ <copy file="${patch.lib.dir}/jbosssx-2.0.4.SP3.jar"
+ tofile="${dist.dir}/JBPAPP-10871/jbosssx.jar"/>
+
+ <copy file="${patch.lib.dir}/jbosssx-client-2.0.4.SP3.jar"
+ tofile="${dist.dir}/JBPAPP-10871/jbosssx-client.jar"/>
+
+ <zip basedir="${dist.dir}"
+ destfile="${dist.dir}/JBPAPP-10871.zip" includes="JBPAPP-10871/**"/>
+
+ <delete dir="${dist.dir}/JBPAPP-10871"/>
+</target>
+
+<!-- Private targets ******************************************************* -->
+
+<target name="mkdir-dist">
+ <mkdir dir="${dist.dir}"/>
+</target>
+
+<target name="require-java6">
+ <echo message="Java Version: ${java.version}"/>
+ <fail message="Building EAP 5.1.2 for JBPAPP-8693 requires Java 6.">
+ <condition>
+ <not>
+ <or>
+ <contains string="${java.version}" substring="1.6" casesensitive="false"/>
+ </or>
+ </not>
+ </condition>
+ </fail>
+</target>
+
+ <target name="update-jnpserver.jar">
+ <echo message="Updating jnpserver.jar for the EAP 5.0.1 build of the patch..."/>
+
+ <property name="3rdparty.dir" value="${basedir}/../thirdparty"/>
+ <property name="3rdparty.jboss.dir" value="${3rdparty.dir}/jboss"/>
+ <property name="3rdparty.jnpserver.dir" value="${3rdparty.jboss.dir}/jnpserver"/>
+ <property name="3rdparty.lib.dir" value="${3rdparty.jnpserver.dir}/lib"/>
+
+ <mkdir dir="${3rdparty.jboss.dir}"/>
+ <mkdir dir="${3rdparty.jnpserver.dir}"/>
+ <mkdir dir="${3rdparty.lib.dir}"/>
+
+ <copy file="${patch.lib.dir}/jnpserver-5.0.3.GA.jar" tofile="${3rdparty.lib.dir}/jnpserver.jar"/>
+</target>
+
+</project>
\ No newline at end of file
Added: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-2.0.4.SP3.jar
===================================================================
(Binary files differ)
Property changes on: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-2.0.4.SP3.jar
___________________________________________________________________
Added: svn:mime-type
+ application/zip
Added: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-client-2.0.4.SP3.jar
===================================================================
(Binary files differ)
Property changes on: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jbosssx-client-2.0.4.SP3.jar
___________________________________________________________________
Added: svn:mime-type
+ application/zip
Added: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jnpserver-5.0.3.GA.jar
===================================================================
(Binary files differ)
Property changes on: branches/JBPAPP_5_0_1_JBPAPP-10871/patch/lib/jnpserver-5.0.3.GA.jar
___________________________________________________________________
Added: svn:mime-type
+ application/zip
More information about the jboss-cvs-commits
mailing list