JBossWeb SVN: r2484 - in branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170: java and 8 other directories.
by jbossweb-commits@lists.jboss.org
Author: aogburn
Date: 2014-07-25 14:03:58 -0400 (Fri, 25 Jul 2014)
New Revision: 2484
Added:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
Removed:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
Modified:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/build.xml
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/security/SecurityClassLoad.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/servlets/DefaultServlet.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/jasper/compiler/JspDocumentParser.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/buf/Ascii.java
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/net/JIoEndpoint.java
Log:
[JBPAPP-11170] merge fixes
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/build.xml
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/build.xml 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/build.xml 2014-07-25 18:03:58 UTC (rev 2484)
@@ -843,7 +843,7 @@
<target name="build-jasper-jdt-src">
<jar destfile="${jasper-jdt-src.jar}" index="true">
- <fileset dir="${jasper-jdt-src.home}/src/plugins/org.eclipse.jdt.core/model">
+ <fileset dir="${jasper-jdt-src.home}/plugins/org.eclipse.jdt.core/model">
<include name="org/eclipse/jdt/core/compiler/**"/>
<include name="org/eclipse/jdt/internal/compiler/**"/>
<include name="org/eclipse/jdt/internal/core/util/CommentRecorder*"/>
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java:2480-2482
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/security/SecurityClassLoad.java
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -39,6 +39,7 @@
loadCorePackage(loader);
loadLoaderPackage(loader);
+ loadServletsPackage(loader);
loadSessionPackage(loader);
loadUtilPackage(loader);
loadJavaxPackage(loader);
@@ -92,6 +93,18 @@
}
+ private static final void loadServletsPackage(ClassLoader loader)
+ throws Exception {
+ final String basePackage = "org.apache.catalina.servlets.";
+ // Avoid a possible memory leak in the DefaultServlet when running with
+ // a security manager. The DefaultServlet needs to load an XML parser
+ // when running under a security manager. We want this to be loaded by
+ // the container rather than a web application to prevent a memory leak
+ // via web application class loader.
+ loader.loadClass(basePackage + "DefaultServlet");
+ }
+
+
private final static void loadSessionPackage(ClassLoader loader)
throws Exception {
String basePackage = "org.apache.catalina.";
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/security/SecurityClassLoad.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -33,8 +33,10 @@
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
+import java.security.AccessController;
import java.util.ArrayList;
import java.util.Iterator;
+import java.util.Locale;
import java.util.StringTokenizer;
import javax.naming.InitialContext;
@@ -48,10 +50,14 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
@@ -64,6 +70,12 @@
import org.apache.naming.resources.ProxyDirContext;
import org.apache.naming.resources.Resource;
import org.apache.naming.resources.ResourceAttributes;
+import org.apache.tomcat.util.security.PrivilegedGetTccl;
+import org.apache.tomcat.util.security.PrivilegedSetTccl;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.ext.EntityResolver2;
/**
@@ -78,7 +90,10 @@
public class DefaultServlet
extends HttpServlet {
+ private static final DocumentBuilderFactory factory;
+ private static final SecureEntityResolver secureEntityResolver;
+
// ----------------------------------------------------- Instance Variables
@@ -178,6 +193,16 @@
urlEncoder.addSafeCharacter('.');
urlEncoder.addSafeCharacter('*');
urlEncoder.addSafeCharacter('/');
+
+ if (Globals.IS_SECURITY_ENABLED) {
+ factory = DocumentBuilderFactory.newInstance();
+ factory.setNamespaceAware(true);
+ factory.setValidating(false);
+ secureEntityResolver = new SecureEntityResolver();
+ } else {
+ factory = null;
+ secureEntityResolver = null;
+ }
}
@@ -1079,17 +1104,12 @@
* Decide which way to render. HTML or XML.
*/
protected InputStream render(String contextPath, CacheEntry cacheEntry)
- throws IOException, ServletException {
-
- InputStream xsltInputStream =
- findXsltInputStream(cacheEntry.context);
-
- if (xsltInputStream==null) {
+ throws IOException, ServletException {
+ Source xsltSource = findXsltInputStream(cacheEntry.context);
+ if (xsltSource == null) {
return renderHtml(contextPath, cacheEntry);
- } else {
- return renderXml(contextPath, cacheEntry, xsltInputStream);
}
-
+ return renderXml(contextPath, cacheEntry, xsltSource);
}
/**
@@ -1101,7 +1121,7 @@
*/
protected InputStream renderXml(String contextPath,
CacheEntry cacheEntry,
- InputStream xsltInputStream)
+ Source xsltSource)
throws IOException, ServletException {
StringBuffer sb = new StringBuffer();
@@ -1188,12 +1208,28 @@
sb.append("</listing>");
+ // Prevent possible memory leak. Ensure Transformer and
+ // TransformerFactory are not loaded from the web application.
+ ClassLoader original;
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedGetTccl pa = new PrivilegedGetTccl();
+ original = AccessController.doPrivileged(pa);
+ } else {
+ original = Thread.currentThread().getContextClassLoader();
+ }
+ try {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa =
+ new PrivilegedSetTccl(DefaultServlet.class.getClassLoader());
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(
+ DefaultServlet.class.getClassLoader());
+ }
- try {
TransformerFactory tFactory = TransformerFactory.newInstance();
Source xmlSource = new StreamSource(new StringReader(sb.toString()));
- Source xslSource = new StreamSource(xsltInputStream);
- Transformer transformer = tFactory.newTransformer(xslSource);
+ Transformer transformer = tFactory.newTransformer(xsltSource);
ByteArrayOutputStream stream = new ByteArrayOutputStream();
OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8");
@@ -1203,6 +1239,13 @@
return (new ByteArrayInputStream(stream.toByteArray()));
} catch (TransformerException e) {
throw new ServletException("XSL transformer error", e);
+ } finally {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(original);
+ }
}
}
@@ -1421,7 +1464,7 @@
/**
* Return the xsl template inputstream (if possible)
*/
- protected InputStream findXsltInputStream(DirContext directory)
+ protected Source findXsltInputStream(DirContext directory)
throws IOException, ServletException {
if (localXsltFile != null) {
@@ -1429,8 +1472,13 @@
Object obj = directory.lookup(localXsltFile);
if ((obj != null) && (obj instanceof Resource)) {
InputStream is = ((Resource) obj).streamContent();
- if (is != null)
- return is;
+ if (is != null) {
+ if (Globals.IS_SECURITY_ENABLED) {
+ return secureXslt(is);
+ } else {
+ return new StreamSource(is);
+ }
+ }
}
} catch (NamingException e) {
if (debug > 10)
@@ -1443,20 +1491,24 @@
/* Open and read in file in one fell swoop to reduce chance
* chance of leaving handle open.
*/
- if (globalXsltFile!=null) {
- FileInputStream fis = null;
-
- try {
- File f = new File(globalXsltFile);
- if (f.exists()){
- fis =new FileInputStream(f);
+ if (globalXsltFile != null) {
+ File f = validateGlobalXsltFile();
+ if (f != null){
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(f);
byte b[] = new byte[(int)f.length()]; /* danger! */
fis.read(b);
- return new ByteArrayInputStream(b);
+ return new StreamSource(new ByteArrayInputStream(b));
+ } finally {
+ if (fis != null) {
+ try {
+ fis.close();
+ } catch (IOException ioe) {
+ // Ignore
+ }
+ }
}
- } finally {
- if (fis!=null)
- fis.close();
}
}
@@ -1465,6 +1517,90 @@
}
+ private File validateGlobalXsltFile() {
+
+ File result = null;
+ String base = System.getProperty("catalina.base");
+
+ if (base != null) {
+ File baseConf = new File(base, "conf");
+ result = validateGlobalXsltFile(baseConf);
+ }
+
+ if (result == null) {
+ String home = System.getProperty("catalina.home");
+ if (home != null && !home.equals(base)) {
+ File homeConf = new File(home, "conf");
+ result = validateGlobalXsltFile(homeConf);
+ }
+ }
+
+ return result;
+ }
+
+
+ private File validateGlobalXsltFile(File base) {
+ File candidate = new File(globalXsltFile);
+ if (!candidate.isAbsolute()) {
+ candidate = new File(base, globalXsltFile);
+ }
+
+ if (!candidate.isFile()) {
+ return null;
+ }
+
+ // First check that the resulting path is under the provided base
+ try {
+ if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+ return null;
+ }
+ } catch (IOException ioe) {
+ return null;
+ }
+
+ // Next check that an .xsl or .xslt file has been specified
+ String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH);
+ if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) {
+ return null;
+ }
+
+ return candidate;
+ }
+
+
+ private Source secureXslt(InputStream is) {
+ // Need to filter out any external entities
+ Source result = null;
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ builder.setEntityResolver(secureEntityResolver);
+ Document document = builder.parse(is);
+ result = new DOMSource(document);
+ } catch (ParserConfigurationException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } catch (SAXException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } catch (IOException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } finally {
+ if (is != null) {
+ try {
+ is.close();
+ } catch (IOException e) {
+ // Ignore
+ }
+ }
+ }
+ return result;
+ }
+
+
// -------------------------------------------------------- protected Methods
@@ -2139,4 +2275,29 @@
}
+ /**
+ * This is secure in the sense that any attempt to use an external entity
+ * will trigger an exception.
+ */
+ private static class SecureEntityResolver implements EntityResolver2 {
+
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException, IOException {
+ throw new SAXException("Ignored external entity " + publicId + " " + systemId);
+ }
+
+ @Override
+ public InputSource getExternalSubset(String name, String baseURI)
+ throws SAXException, IOException {
+ throw new SAXException("Ignored external subset " + name + " " + baseURI);
+ }
+
+ @Override
+ public InputSource resolveEntity(String name, String publicId,
+ String baseURI, String systemId) throws SAXException,
+ IOException {
+ throw new SAXException("Ignored external entity " + name + " " + publicId + " " + baseURI + " " + systemId);
+ }
+ }
}
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/catalina/servlets/DefaultServlet.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -266,7 +266,7 @@
int result = 0;
boolean eol = false;
- boolean readDigit = false;
+ int readDigit = 0;
boolean trailer = false;
while (!eol) {
@@ -288,10 +288,10 @@
trailer = true;
} else if (!trailer) {
//don't read data after the trailer
- if (HexUtils.DEC[buf[pos]] != -1) {
- readDigit = true;
- result *= 16;
- result += HexUtils.DEC[buf[pos]];
+ int charValue = HexUtils.DEC[buf[pos] & 0xff];
+ if (charValue != -1 && readDigit < 8) {
+ readDigit++;
+ result = (result << 4) | charValue;
} else {
//we shouldn't allow invalid, non hex characters
//in the chunked header
@@ -303,7 +303,7 @@
}
- if (!readDigit || (result < 0))
+ if (readDigit == 0 || (result < 0))
throw new IOException("Invalid chunk header");
if (result == 0)
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/jasper/compiler/JspDocumentParser.java
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -20,7 +20,7 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
-
+import java.security.AccessController;
import java.util.Iterator;
import java.util.List;
import java.util.jar.JarFile;
@@ -31,8 +31,11 @@
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
+import org.apache.jasper.Constants;
import org.apache.jasper.JasperException;
import org.apache.jasper.JspCompilationContext;
+import org.apache.tomcat.util.security.PrivilegedGetTccl;
+import org.apache.tomcat.util.security.PrivilegedSetTccl;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.Locator;
@@ -1394,30 +1397,59 @@
*
* @return The SAXParser
*/
- private static SAXParser getSAXParser(
- boolean validating,
- JspDocumentParser jspDocParser)
- throws Exception {
+ private static SAXParser getSAXParser(boolean validating,
+ JspDocumentParser jspDocParser) throws Exception {
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
+ ClassLoader original;
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedGetTccl pa = new PrivilegedGetTccl();
+ original = AccessController.doPrivileged(pa);
+ } else {
+ original = Thread.currentThread().getContextClassLoader();
+ }
+ try {
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(
+ JspDocumentParser.class.getClassLoader());
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(
+ JspDocumentParser.class.getClassLoader());
+ }
- // Preserve xmlns attributes
- factory.setFeature(
- "http://xml.org/sax/features/namespace-prefixes",
- true);
- factory.setValidating(validating);
- //factory.setFeature(
- // "http://xml.org/sax/features/validation",
- // validating);
-
- // Configure the parser
- SAXParser saxParser = factory.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
- xmlReader.setErrorHandler(jspDocParser);
+ SAXParserFactory factory = SAXParserFactory.newInstance();
- return saxParser;
+ factory.setNamespaceAware(true);
+ // Preserve xmlns attributes
+ factory.setFeature(
+ "http://xml.org/sax/features/namespace-prefixes", true);
+
+ factory.setValidating(validating);
+ if (validating) {
+ // Enable DTD validation
+ factory.setFeature("http://xml.org/sax/features/validation",
+ true);
+ // Enable schema validation
+ factory.setFeature(
+ "http://apache.org/xml/features/validation/schema",
+ true);
+ }
+
+ // Configure the parser
+ SAXParser saxParser = factory.newSAXParser();
+ XMLReader xmlReader = saxParser.getXMLReader();
+ xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
+ xmlReader.setErrorHandler(jspDocParser);
+
+ return saxParser;
+ } finally {
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(original);
+ }
+ }
}
/*
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/jasper/compiler/JspDocumentParser.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/tomcat/util:2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util:2427
Modified: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/buf/Ascii.java
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-25 15:40:36 UTC (rev 2483)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -41,6 +41,8 @@
private static final boolean[] isWhite = new boolean[256];
private static final boolean[] isDigit = new boolean[256];
+ private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10;
+
/*
* Initialize character translation and type tables.
*/
@@ -187,8 +189,7 @@
* @exception NumberFormatException if the long format was invalid
*/
public static long parseLong(byte[] b, int off, int len)
- throws NumberFormatException
- {
+ throws NumberFormatException {
int c;
if (b == null || len <= 0 || !isDigit(c = b[off++])) {
@@ -196,20 +197,13 @@
}
long n = c - '0';
- long m;
-
while (--len > 0) {
- if (!isDigit(c = b[off++])) {
+ if (isDigit(c = b[off++])
+ && (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) {
+ n = n * 10 + c - '0';
+ } else {
throw new NumberFormatException();
}
- m = n * 10 + c - '0';
-
- if (m < n) {
- // Overflow
- throw new NumberFormatException();
- } else {
- n = m;
- }
}
return n;
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/buf/Ascii.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java:2480-2482
/branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426-2427
Property changes on: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/net/JIoEndpoint.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427
Deleted: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-23 20:38:09 UTC (rev 2482)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.security;
-
-import java.security.PrivilegedAction;
-
-public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
- @Override
- public ClassLoader run() {
- return Thread.currentThread().getContextClassLoader();
- }
-}
-
-
Copied: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (from rev 2482, branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java)
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (rev 0)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
+ @Override
+ public ClassLoader run() {
+ return Thread.currentThread().getContextClassLoader();
+ }
+}
+
+
Deleted: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-23 20:38:09 UTC (rev 2482)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -1,34 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.security;
-
-import java.security.PrivilegedAction;
-
-public class PrivilegedSetTccl implements PrivilegedAction<Void> {
-
- private ClassLoader cl;
-
- public PrivilegedSetTccl(ClassLoader cl) {
- this.cl = cl;
- }
-
- @Override
- public Void run() {
- Thread.currentThread().setContextClassLoader(cl);
- return null;
- }
-}
\ No newline at end of file
Copied: branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (from rev 2482, branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java)
===================================================================
--- branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (rev 0)
+++ branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-25 18:03:58 UTC (rev 2484)
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedSetTccl implements PrivilegedAction<Void> {
+
+ private ClassLoader cl;
+
+ public PrivilegedSetTccl(ClassLoader cl) {
+ this.cl = cl;
+ }
+
+ @Override
+ public Void run() {
+ Thread.currentThread().setContextClassLoader(cl);
+ return null;
+ }
+}
\ No newline at end of file
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2483 - branches.
by jbossweb-commits@lists.jboss.org
Author: aogburn
Date: 2014-07-25 11:40:36 -0400 (Fri, 25 Jul 2014)
New Revision: 2483
Added:
branches/JBOSSWEB_2_1_12_GA_JBPAPP-11170/
Log:
[JBPAPP-11170] create one-off branch
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2482 - branches/2.1.x/java/org/apache/tomcat/util/buf.
by jbossweb-commits@lists.jboss.org
Author: aogburn
Date: 2014-07-23 16:38:09 -0400 (Wed, 23 Jul 2014)
New Revision: 2482
Modified:
branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java
Log:
CVE-2014-0099 backport
Modified: branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-23 20:31:43 UTC (rev 2481)
+++ branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-23 20:38:09 UTC (rev 2482)
@@ -41,6 +41,8 @@
private static final boolean[] isWhite = new boolean[256];
private static final boolean[] isDigit = new boolean[256];
+ private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10;
+
/*
* Initialize character translation and type tables.
*/
@@ -187,8 +189,7 @@
* @exception NumberFormatException if the long format was invalid
*/
public static long parseLong(byte[] b, int off, int len)
- throws NumberFormatException
- {
+ throws NumberFormatException {
int c;
if (b == null || len <= 0 || !isDigit(c = b[off++])) {
@@ -196,20 +197,13 @@
}
long n = c - '0';
- long m;
-
while (--len > 0) {
- if (!isDigit(c = b[off++])) {
+ if (isDigit(c = b[off++])
+ && (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) {
+ n = n * 10 + c - '0';
+ } else {
throw new NumberFormatException();
}
- m = n * 10 + c - '0';
-
- if (m < n) {
- // Overflow
- throw new NumberFormatException();
- } else {
- n = m;
- }
}
return n;
Property changes on: branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2481 - in branches/2.1.x/java/org/apache: catalina/servlets and 4 other directories.
by jbossweb-commits@lists.jboss.org
Author: aogburn
Date: 2014-07-23 16:31:43 -0400 (Wed, 23 Jul 2014)
New Revision: 2481
Added:
branches/2.1.x/java/org/apache/tomcat/util/security/
branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
Removed:
branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
Modified:
branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java
branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java
branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java
branches/2.1.x/java/org/apache/tomcat/util/
branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java
Log:
CVE-2014-0096 & CVE-2014-0119 backports
Modified: branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java
===================================================================
--- branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-23 16:58:01 UTC (rev 2480)
+++ branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -39,6 +39,7 @@
loadCorePackage(loader);
loadLoaderPackage(loader);
+ loadServletsPackage(loader);
loadSessionPackage(loader);
loadUtilPackage(loader);
loadJavaxPackage(loader);
@@ -92,6 +93,18 @@
}
+ private static final void loadServletsPackage(ClassLoader loader)
+ throws Exception {
+ final String basePackage = "org.apache.catalina.servlets.";
+ // Avoid a possible memory leak in the DefaultServlet when running with
+ // a security manager. The DefaultServlet needs to load an XML parser
+ // when running under a security manager. We want this to be loaded by
+ // the container rather than a web application to prevent a memory leak
+ // via web application class loader.
+ loader.loadClass(basePackage + "DefaultServlet");
+ }
+
+
private final static void loadSessionPackage(ClassLoader loader)
throws Exception {
String basePackage = "org.apache.catalina.";
Property changes on: branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460
Modified: branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-23 16:58:01 UTC (rev 2480)
+++ branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -33,8 +33,10 @@
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
+import java.security.AccessController;
import java.util.ArrayList;
import java.util.Iterator;
+import java.util.Locale;
import java.util.StringTokenizer;
import javax.naming.InitialContext;
@@ -48,10 +50,14 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
@@ -64,6 +70,12 @@
import org.apache.naming.resources.ProxyDirContext;
import org.apache.naming.resources.Resource;
import org.apache.naming.resources.ResourceAttributes;
+import org.apache.tomcat.util.security.PrivilegedGetTccl;
+import org.apache.tomcat.util.security.PrivilegedSetTccl;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.ext.EntityResolver2;
/**
@@ -78,7 +90,10 @@
public class DefaultServlet
extends HttpServlet {
+ private static final DocumentBuilderFactory factory;
+ private static final SecureEntityResolver secureEntityResolver;
+
// ----------------------------------------------------- Instance Variables
@@ -178,6 +193,16 @@
urlEncoder.addSafeCharacter('.');
urlEncoder.addSafeCharacter('*');
urlEncoder.addSafeCharacter('/');
+
+ if (Globals.IS_SECURITY_ENABLED) {
+ factory = DocumentBuilderFactory.newInstance();
+ factory.setNamespaceAware(true);
+ factory.setValidating(false);
+ secureEntityResolver = new SecureEntityResolver();
+ } else {
+ factory = null;
+ secureEntityResolver = null;
+ }
}
@@ -1079,17 +1104,12 @@
* Decide which way to render. HTML or XML.
*/
protected InputStream render(String contextPath, CacheEntry cacheEntry)
- throws IOException, ServletException {
-
- InputStream xsltInputStream =
- findXsltInputStream(cacheEntry.context);
-
- if (xsltInputStream==null) {
+ throws IOException, ServletException {
+ Source xsltSource = findXsltInputStream(cacheEntry.context);
+ if (xsltSource == null) {
return renderHtml(contextPath, cacheEntry);
- } else {
- return renderXml(contextPath, cacheEntry, xsltInputStream);
}
-
+ return renderXml(contextPath, cacheEntry, xsltSource);
}
/**
@@ -1101,7 +1121,7 @@
*/
protected InputStream renderXml(String contextPath,
CacheEntry cacheEntry,
- InputStream xsltInputStream)
+ Source xsltSource)
throws IOException, ServletException {
StringBuffer sb = new StringBuffer();
@@ -1188,12 +1208,28 @@
sb.append("</listing>");
+ // Prevent possible memory leak. Ensure Transformer and
+ // TransformerFactory are not loaded from the web application.
+ ClassLoader original;
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedGetTccl pa = new PrivilegedGetTccl();
+ original = AccessController.doPrivileged(pa);
+ } else {
+ original = Thread.currentThread().getContextClassLoader();
+ }
+ try {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa =
+ new PrivilegedSetTccl(DefaultServlet.class.getClassLoader());
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(
+ DefaultServlet.class.getClassLoader());
+ }
- try {
TransformerFactory tFactory = TransformerFactory.newInstance();
Source xmlSource = new StreamSource(new StringReader(sb.toString()));
- Source xslSource = new StreamSource(xsltInputStream);
- Transformer transformer = tFactory.newTransformer(xslSource);
+ Transformer transformer = tFactory.newTransformer(xsltSource);
ByteArrayOutputStream stream = new ByteArrayOutputStream();
OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8");
@@ -1203,6 +1239,13 @@
return (new ByteArrayInputStream(stream.toByteArray()));
} catch (TransformerException e) {
throw new ServletException("XSL transformer error", e);
+ } finally {
+ if (Globals.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(original);
+ }
}
}
@@ -1421,7 +1464,7 @@
/**
* Return the xsl template inputstream (if possible)
*/
- protected InputStream findXsltInputStream(DirContext directory)
+ protected Source findXsltInputStream(DirContext directory)
throws IOException, ServletException {
if (localXsltFile != null) {
@@ -1429,8 +1472,13 @@
Object obj = directory.lookup(localXsltFile);
if ((obj != null) && (obj instanceof Resource)) {
InputStream is = ((Resource) obj).streamContent();
- if (is != null)
- return is;
+ if (is != null) {
+ if (Globals.IS_SECURITY_ENABLED) {
+ return secureXslt(is);
+ } else {
+ return new StreamSource(is);
+ }
+ }
}
} catch (NamingException e) {
if (debug > 10)
@@ -1443,20 +1491,24 @@
/* Open and read in file in one fell swoop to reduce chance
* chance of leaving handle open.
*/
- if (globalXsltFile!=null) {
- FileInputStream fis = null;
-
- try {
- File f = new File(globalXsltFile);
- if (f.exists()){
- fis =new FileInputStream(f);
+ if (globalXsltFile != null) {
+ File f = validateGlobalXsltFile();
+ if (f != null){
+ FileInputStream fis = null;
+ try {
+ fis = new FileInputStream(f);
byte b[] = new byte[(int)f.length()]; /* danger! */
fis.read(b);
- return new ByteArrayInputStream(b);
+ return new StreamSource(new ByteArrayInputStream(b));
+ } finally {
+ if (fis != null) {
+ try {
+ fis.close();
+ } catch (IOException ioe) {
+ // Ignore
+ }
+ }
}
- } finally {
- if (fis!=null)
- fis.close();
}
}
@@ -1465,6 +1517,90 @@
}
+ private File validateGlobalXsltFile() {
+
+ File result = null;
+ String base = System.getProperty("catalina.base");
+
+ if (base != null) {
+ File baseConf = new File(base, "conf");
+ result = validateGlobalXsltFile(baseConf);
+ }
+
+ if (result == null) {
+ String home = System.getProperty("catalina.home");
+ if (home != null && !home.equals(base)) {
+ File homeConf = new File(home, "conf");
+ result = validateGlobalXsltFile(homeConf);
+ }
+ }
+
+ return result;
+ }
+
+
+ private File validateGlobalXsltFile(File base) {
+ File candidate = new File(globalXsltFile);
+ if (!candidate.isAbsolute()) {
+ candidate = new File(base, globalXsltFile);
+ }
+
+ if (!candidate.isFile()) {
+ return null;
+ }
+
+ // First check that the resulting path is under the provided base
+ try {
+ if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+ return null;
+ }
+ } catch (IOException ioe) {
+ return null;
+ }
+
+ // Next check that an .xsl or .xslt file has been specified
+ String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH);
+ if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) {
+ return null;
+ }
+
+ return candidate;
+ }
+
+
+ private Source secureXslt(InputStream is) {
+ // Need to filter out any external entities
+ Source result = null;
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ builder.setEntityResolver(secureEntityResolver);
+ Document document = builder.parse(is);
+ result = new DOMSource(document);
+ } catch (ParserConfigurationException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } catch (SAXException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } catch (IOException e) {
+ if (debug > 0) {
+ log(e.getMessage(), e);
+ }
+ } finally {
+ if (is != null) {
+ try {
+ is.close();
+ } catch (IOException e) {
+ // Ignore
+ }
+ }
+ }
+ return result;
+ }
+
+
// -------------------------------------------------------- protected Methods
@@ -2139,4 +2275,29 @@
}
+ /**
+ * This is secure in the sense that any attempt to use an external entity
+ * will trigger an exception.
+ */
+ private static class SecureEntityResolver implements EntityResolver2 {
+
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException, IOException {
+ throw new SAXException("Ignored external entity " + publicId + " " + systemId);
+ }
+
+ @Override
+ public InputSource getExternalSubset(String name, String baseURI)
+ throws SAXException, IOException {
+ throw new SAXException("Ignored external subset " + name + " " + baseURI);
+ }
+
+ @Override
+ public InputSource resolveEntity(String name, String publicId,
+ String baseURI, String systemId) throws SAXException,
+ IOException {
+ throw new SAXException("Ignored external entity " + name + " " + publicId + " " + baseURI + " " + systemId);
+ }
+ }
}
Property changes on: branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427
Modified: branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java
===================================================================
--- branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-23 16:58:01 UTC (rev 2480)
+++ branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -20,7 +20,7 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
-
+import java.security.AccessController;
import java.util.Iterator;
import java.util.List;
import java.util.jar.JarFile;
@@ -31,8 +31,11 @@
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
+import org.apache.jasper.Constants;
import org.apache.jasper.JasperException;
import org.apache.jasper.JspCompilationContext;
+import org.apache.tomcat.util.security.PrivilegedGetTccl;
+import org.apache.tomcat.util.security.PrivilegedSetTccl;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.Locator;
@@ -1394,30 +1397,59 @@
*
* @return The SAXParser
*/
- private static SAXParser getSAXParser(
- boolean validating,
- JspDocumentParser jspDocParser)
- throws Exception {
+ private static SAXParser getSAXParser(boolean validating,
+ JspDocumentParser jspDocParser) throws Exception {
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
+ ClassLoader original;
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedGetTccl pa = new PrivilegedGetTccl();
+ original = AccessController.doPrivileged(pa);
+ } else {
+ original = Thread.currentThread().getContextClassLoader();
+ }
+ try {
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(
+ JspDocumentParser.class.getClassLoader());
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(
+ JspDocumentParser.class.getClassLoader());
+ }
- // Preserve xmlns attributes
- factory.setFeature(
- "http://xml.org/sax/features/namespace-prefixes",
- true);
- factory.setValidating(validating);
- //factory.setFeature(
- // "http://xml.org/sax/features/validation",
- // validating);
-
- // Configure the parser
- SAXParser saxParser = factory.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
- xmlReader.setErrorHandler(jspDocParser);
+ SAXParserFactory factory = SAXParserFactory.newInstance();
- return saxParser;
+ factory.setNamespaceAware(true);
+ // Preserve xmlns attributes
+ factory.setFeature(
+ "http://xml.org/sax/features/namespace-prefixes", true);
+
+ factory.setValidating(validating);
+ if (validating) {
+ // Enable DTD validation
+ factory.setFeature("http://xml.org/sax/features/validation",
+ true);
+ // Enable schema validation
+ factory.setFeature(
+ "http://apache.org/xml/features/validation/schema",
+ true);
+ }
+
+ // Configure the parser
+ SAXParser saxParser = factory.newSAXParser();
+ XMLReader xmlReader = saxParser.getXMLReader();
+ xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
+ xmlReader.setErrorHandler(jspDocParser);
+
+ return saxParser;
+ } finally {
+ if (Constants.IS_SECURITY_ENABLED) {
+ PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
+ AccessController.doPrivileged(pa);
+ } else {
+ Thread.currentThread().setContextClassLoader(original);
+ }
+ }
}
/*
Property changes on: branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427
Property changes on: branches/2.1.x/java/org/apache/tomcat/util
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/tomcat/util:2427
Property changes on: branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/7.2.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2135
+ /branches/7.2.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2135
/branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427
Deleted: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-05-28 08:20:59 UTC (rev 2427)
+++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.security;
-
-import java.security.PrivilegedAction;
-
-public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
- @Override
- public ClassLoader run() {
- return Thread.currentThread().getContextClassLoader();
- }
-}
-
-
Copied: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (from rev 2427, branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java)
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (rev 0)
+++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
+ @Override
+ public ClassLoader run() {
+ return Thread.currentThread().getContextClassLoader();
+ }
+}
+
+
Deleted: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-05-28 08:20:59 UTC (rev 2427)
+++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -1,34 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.security;
-
-import java.security.PrivilegedAction;
-
-public class PrivilegedSetTccl implements PrivilegedAction<Void> {
-
- private ClassLoader cl;
-
- public PrivilegedSetTccl(ClassLoader cl) {
- this.cl = cl;
- }
-
- @Override
- public Void run() {
- Thread.currentThread().setContextClassLoader(cl);
- return null;
- }
-}
\ No newline at end of file
Copied: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (from rev 2427, branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java)
===================================================================
--- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (rev 0)
+++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-23 20:31:43 UTC (rev 2481)
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedSetTccl implements PrivilegedAction<Void> {
+
+ private ClassLoader cl;
+
+ public PrivilegedSetTccl(ClassLoader cl) {
+ this.cl = cl;
+ }
+
+ @Override
+ public Void run() {
+ Thread.currentThread().setContextClassLoader(cl);
+ return null;
+ }
+}
\ No newline at end of file
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2480 - branches/2.1.x/java/org/apache/coyote/http11/filters.
by jbossweb-commits@lists.jboss.org
Author: aogburn
Date: 2014-07-23 12:58:01 -0400 (Wed, 23 Jul 2014)
New Revision: 2480
Modified:
branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
Log:
Merge CVE-2014-0075 to 2.1.x
Modified: branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
===================================================================
--- branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-18 20:34:47 UTC (rev 2479)
+++ branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-23 16:58:01 UTC (rev 2480)
@@ -267,7 +267,7 @@
int result = 0;
boolean eol = false;
boolean crfound = false;
- boolean readDigit = false;
+ int readDigit = 0;
boolean trailer = false;
while (!eol) {
@@ -294,10 +294,10 @@
throw new IOException("Invalid chunk header");
} else if (!trailer) {
//don't read data after the trailer
- if (HexUtils.DEC[buf[pos] & 0xff] != -1) {
- readDigit = true;
- result *= 16;
- result += HexUtils.DEC[buf[pos]];
+ int charValue = HexUtils.DEC[buf[pos] & 0xff];
+ if (charValue != -1 && readDigit < 8) {
+ readDigit++;
+ result = (result << 4) | charValue;
} else {
//we shouldn't allow invalid, non hex characters
//in the chunked header
@@ -309,7 +309,7 @@
}
- if (!readDigit || (result < 0))
+ if (readDigit == 0 || (result < 0))
throw new IOException("Invalid chunk header");
if (result == 0)
Property changes on: branches/2.1.x/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/7.4.x/src/main/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java:2428
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2479 - in branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889: src/main/java/org/apache/coyote/ajp and 1 other directories.
by jbossweb-commits@lists.jboss.org
Author: bmaxwell
Date: 2014-07-18 16:34:47 -0400 (Fri, 18 Jul 2014)
New Revision: 2479
Modified:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/pom.xml
branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/ajp/AjpAprProtocol.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11AprProtocol.java
branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11NioProtocol.java
Log:
[BZ-1120889] backport fix for APR connector does not allow adding system property org.apache.tomcat.util.ENABLE_MODELER=true
Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/pom.xml
===================================================================
--- branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/pom.xml 2014-07-18 20:19:32 UTC (rev 2478)
+++ branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/pom.xml 2014-07-18 20:34:47 UTC (rev 2479)
@@ -33,7 +33,7 @@
<groupId>org.jboss.web</groupId>
<artifactId>jbossweb</artifactId>
- <version>7.2.2.Final</version>
+ <version>7.2.2.Final-redhat-1-bz-1120889</version>
<name>JBoss Web</name>
<description>Servlet 3.0 container</description>
Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/ajp/AjpAprProtocol.java
===================================================================
--- branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/ajp/AjpAprProtocol.java 2014-07-18 20:19:32 UTC (rev 2478)
+++ branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/ajp/AjpAprProtocol.java 2014-07-18 20:34:47 UTC (rev 2479)
@@ -166,14 +166,14 @@
if (this.domain != null ) {
try {
tpOname = new ObjectName
- (domain + ":" + "type=ThreadPool,name=" + getName());
+ (domain + ":" + "type=ThreadPool,name=" + getJmxName());
Registry.getRegistry(null, null)
.registerComponent(endpoint, tpOname, null );
} catch (Exception e) {
CoyoteLogger.AJP_LOGGER.errorRegisteringPool(e);
}
rgOname = new ObjectName
- (domain + ":type=GlobalRequestProcessor,name=" + getName());
+ (domain + ":type=GlobalRequestProcessor,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent(cHandler.global, rgOname, null);
}
}
Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11AprProtocol.java
===================================================================
--- branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11AprProtocol.java 2014-07-18 20:19:32 UTC (rev 2478)
+++ branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11AprProtocol.java 2014-07-18 20:34:47 UTC (rev 2479)
@@ -118,14 +118,14 @@
if( this.domain != null ) {
try {
tpOname=new ObjectName
- (domain + ":" + "type=ThreadPool,name=" + getName());
+ (domain + ":" + "type=ThreadPool,name=" + getJmxName());
Registry.getRegistry(null, null)
.registerComponent(endpoint, tpOname, null );
} catch (Exception e) {
CoyoteLogger.HTTP_LOGGER.errorRegisteringPool(e);
}
rgOname=new ObjectName
- (domain + ":type=GlobalRequestProcessor,name=" + getName());
+ (domain + ":type=GlobalRequestProcessor,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent
( cHandler.global, rgOname, null );
}
Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11NioProtocol.java
===================================================================
--- branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11NioProtocol.java 2014-07-18 20:19:32 UTC (rev 2478)
+++ branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/src/main/java/org/apache/coyote/http11/Http11NioProtocol.java 2014-07-18 20:34:47 UTC (rev 2479)
@@ -129,12 +129,12 @@
if (org.apache.tomcat.util.Constants.ENABLE_MODELER) {
if (this.domain != null) {
try {
- tpOname = new ObjectName(domain + ":" + "type=ThreadPool,name=" + getName());
+ tpOname = new ObjectName(domain + ":" + "type=ThreadPool,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent(endpoint, tpOname, null);
} catch (Exception e) {
CoyoteLogger.HTTP_LOGGER.errorRegisteringPool(e);
}
- rgOname = new ObjectName(domain + ":type=GlobalRequestProcessor,name=" + getName());
+ rgOname = new ObjectName(domain + ":type=GlobalRequestProcessor,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent(cHandler.global, rgOname, null);
}
}
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2478 - branches.
by jbossweb-commits@lists.jboss.org
Author: bmaxwell
Date: 2014-07-18 16:19:32 -0400 (Fri, 18 Jul 2014)
New Revision: 2478
Added:
branches/JBOSSWEB_7_2_2_FINAL_BZ-1120889/
Log:
[BZ-1120889] create one off patch branch
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2477 - branches.
by jbossweb-commits@lists.jboss.org
Author: bmaxwell
Date: 2014-07-18 12:46:18 -0400 (Fri, 18 Jul 2014)
New Revision: 2477
Removed:
branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/
Log:
need to redo
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2476 - in branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote: http11 and 1 other directory.
by jbossweb-commits@lists.jboss.org
Author: bmaxwell
Date: 2014-07-17 19:48:16 -0400 (Thu, 17 Jul 2014)
New Revision: 2476
Modified:
branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/ajp/AjpAprProtocol.java
branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/http11/Http11AprProtocol.java
Log:
[BZ-1120889] backport fix for APR connector does not allow adding system property org.apache.tomcat.util.ENABLE_MODELER=true
Modified: branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/ajp/AjpAprProtocol.java
===================================================================
--- branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/ajp/AjpAprProtocol.java 2014-07-17 23:45:12 UTC (rev 2475)
+++ branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/ajp/AjpAprProtocol.java 2014-07-17 23:48:16 UTC (rev 2476)
@@ -189,14 +189,14 @@
if (this.domain != null ) {
try {
tpOname = new ObjectName
- (domain + ":" + "type=ThreadPool,name=" + getName());
+ (domain + ":" + "type=ThreadPool,name=" + getJmxName());
Registry.getRegistry(null, null)
.registerComponent(endpoint, tpOname, null );
} catch (Exception e) {
log.error("Can't register threadpool" );
}
rgOname = new ObjectName
- (domain + ":type=GlobalRequestProcessor,name=" + getName());
+ (domain + ":type=GlobalRequestProcessor,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent
(cHandler.global, rgOname, null);
}
Modified: branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/http11/Http11AprProtocol.java
===================================================================
--- branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/http11/Http11AprProtocol.java 2014-07-17 23:45:12 UTC (rev 2475)
+++ branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/java/org/apache/coyote/http11/Http11AprProtocol.java 2014-07-17 23:48:16 UTC (rev 2476)
@@ -136,14 +136,14 @@
if( this.domain != null ) {
try {
tpOname=new ObjectName
- (domain + ":" + "type=ThreadPool,name=" + getName());
+ (domain + ":" + "type=ThreadPool,name=" + getJmxName());
Registry.getRegistry(null, null)
.registerComponent(endpoint, tpOname, null );
} catch (Exception e) {
log.error("Can't register threadpool" );
}
rgOname=new ObjectName
- (domain + ":type=GlobalRequestProcessor,name=" + getName());
+ (domain + ":type=GlobalRequestProcessor,name=" + getJmxName());
Registry.getRegistry(null, null).registerComponent
( cHandler.global, rgOname, null );
}
10 years, 5 months
- 1
- 0
JBossWeb SVN: r2475 - branches.
by jbossweb-commits@lists.jboss.org
Author: bmaxwell
Date: 2014-07-17 19:45:12 -0400 (Thu, 17 Jul 2014)
New Revision: 2475
Added:
branches/JBOSSWEB_7_0_16_FINAL_BZ-1120889/
Log:
[BZ-1120889] one off patch branch
10 years, 5 months
- 1
- 0