JBossWeb SVN: r2460 - in branches: 7.5.x/src/main/java/org/apache/catalina/security and 1 other directory. - jbossweb-commits

Monday, 16 June 2014


Author: remy.maucherat(a)jboss.com
Date: 2014-06-16 07:00:39 -0400 (Mon, 16 Jun 2014)
New Revision: 2460

Modified:
   branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java
   branches/7.5.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java
Log:
Add missing patch for CVE-2014-0119, although it is hard to tell if it can be used in AS.

Modified:
branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java	2014-06-13
15:12:30 UTC (rev 2459)
+++
branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java	2014-06-16
11:00:39 UTC (rev 2460)
@@ -39,6 +39,7 @@
         
         loadCorePackage(loader);
         loadLoaderPackage(loader);
+        loadServletsPackage(loader);
         loadSessionPackage(loader);
         loadUtilPackage(loader);
         loadJavaxPackage(loader);
@@ -95,6 +96,18 @@
     }
     
     
+    private static final void loadServletsPackage(ClassLoader loader)
+            throws Exception {
+        final String basePackage = "org.apache.catalina.servlets.";
+        // Avoid a possible memory leak in the DefaultServlet when running with
+        // a security manager. The DefaultServlet needs to load an XML parser
+        // when running under a security manager. We want this to be loaded by
+        // the container rather than a web application to prevent a memory leak
+        // via web application class loader.
+        loader.loadClass(basePackage + "DefaultServlet");
+    }
+
+
     private final static void loadSessionPackage(ClassLoader loader)
         throws Exception {
         String basePackage = "org.apache.catalina.";

Modified:
branches/7.5.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java
===================================================================
---
branches/7.5.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java	2014-06-13
15:12:30 UTC (rev 2459)
+++
branches/7.5.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java	2014-06-16
11:00:39 UTC (rev 2460)
@@ -39,6 +39,7 @@
         
         loadCorePackage(loader);
         loadLoaderPackage(loader);
+        loadServletsPackage(loader);
         loadSessionPackage(loader);
         loadUtilPackage(loader);
         loadJavaxPackage(loader);
@@ -95,6 +96,18 @@
     }
     
     
+    private static final void loadServletsPackage(ClassLoader loader)
+            throws Exception {
+        final String basePackage = "org.apache.catalina.servlets.";
+        // Avoid a possible memory leak in the DefaultServlet when running with
+        // a security manager. The DefaultServlet needs to load an XML parser
+        // when running under a security manager. We want this to be loaded by
+        // the container rather than a web application to prevent a memory leak
+        // via web application class loader.
+        loader.loadClass(basePackage + "DefaultServlet");
+    }
+
+
     private final static void loadSessionPackage(ClassLoader loader)
         throws Exception {
         String basePackage = "org.apache.catalina.";


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

JBossWeb SVN: r2460 - in branches: 7.5.x/src/main/java/org/apache/catalina/security and 1 other directory.