Author: aogburn Date: 2014-07-23 16:31:43 -0400 (Wed, 23 Jul 2014) New Revision: 2481 Added: branches/2.1.x/java/org/apache/tomcat/util/security/ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java Removed: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java Modified: branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java branches/2.1.x/java/org/apache/tomcat/util/ branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java Log: CVE-2014-0096 & CVE-2014-0119 backports Modified: branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java =================================================================== --- branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-23 16:58:01 UTC (rev 2480) +++ branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -39,6 +39,7 @@ loadCorePackage(loader); loadLoaderPackage(loader); + loadServletsPackage(loader); loadSessionPackage(loader); loadUtilPackage(loader); loadJavaxPackage(loader); @@ -92,6 +93,18 @@ } + private static final void loadServletsPackage(ClassLoader loader) + throws Exception { + final String basePackage = "org.apache.catalina.servlets."; + // Avoid a possible memory leak in the DefaultServlet when running with + // a security manager. The DefaultServlet needs to load an XML parser + // when running under a security manager. We want this to be loaded by + // the container rather than a web application to prevent a memory leak + // via web application class loader. + loader.loadClass(basePackage + "DefaultServlet"); + } + + private final static void loadSessionPackage(ClassLoader loader) throws Exception { String basePackage = "org.apache.catalina."; Property changes on: branches/2.1.x/java/org/apache/catalina/security/SecurityClassLoad.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/catalina/security/SecurityClassLoad.java:2460 Modified: branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-23 16:58:01 UTC (rev 2480) +++ branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -33,8 +33,10 @@ import java.io.Reader; import java.io.StringReader; import java.io.StringWriter; +import java.security.AccessController; import java.util.ArrayList; import java.util.Iterator; +import java.util.Locale; import java.util.StringTokenizer; import javax.naming.InitialContext; @@ -48,10 +50,14 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; +import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -64,6 +70,12 @@ import org.apache.naming.resources.ProxyDirContext; import org.apache.naming.resources.Resource; import org.apache.naming.resources.ResourceAttributes; +import org.apache.tomcat.util.security.PrivilegedGetTccl; +import org.apache.tomcat.util.security.PrivilegedSetTccl; +import org.w3c.dom.Document; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.ext.EntityResolver2; /** @@ -78,7 +90,10 @@ public class DefaultServlet extends HttpServlet { + private static final DocumentBuilderFactory factory; + private static final SecureEntityResolver secureEntityResolver; + // ----------------------------------------------------- Instance Variables @@ -178,6 +193,16 @@ urlEncoder.addSafeCharacter('.'); urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); + + if (Globals.IS_SECURITY_ENABLED) { + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setValidating(false); + secureEntityResolver = new SecureEntityResolver(); + } else { + factory = null; + secureEntityResolver = null; + } } @@ -1079,17 +1104,12 @@ * Decide which way to render. HTML or XML. */ protected InputStream render(String contextPath, CacheEntry cacheEntry) - throws IOException, ServletException { - - InputStream xsltInputStream = - findXsltInputStream(cacheEntry.context); - - if (xsltInputStream==null) { + throws IOException, ServletException { + Source xsltSource = findXsltInputStream(cacheEntry.context); + if (xsltSource == null) { return renderHtml(contextPath, cacheEntry); - } else { - return renderXml(contextPath, cacheEntry, xsltInputStream); } - + return renderXml(contextPath, cacheEntry, xsltSource); } /** @@ -1101,7 +1121,7 @@ */ protected InputStream renderXml(String contextPath, CacheEntry cacheEntry, - InputStream xsltInputStream) + Source xsltSource) throws IOException, ServletException { StringBuffer sb = new StringBuffer(); @@ -1188,12 +1208,28 @@ sb.append("</listing>"); + // Prevent possible memory leak. Ensure Transformer and + // TransformerFactory are not loaded from the web application. + ClassLoader original; + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedGetTccl pa = new PrivilegedGetTccl(); + original = AccessController.doPrivileged(pa); + } else { + original = Thread.currentThread().getContextClassLoader(); + } + try { + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = + new PrivilegedSetTccl(DefaultServlet.class.getClassLoader()); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader( + DefaultServlet.class.getClassLoader()); + } - try { TransformerFactory tFactory = TransformerFactory.newInstance(); Source xmlSource = new StreamSource(new StringReader(sb.toString())); - Source xslSource = new StreamSource(xsltInputStream); - Transformer transformer = tFactory.newTransformer(xslSource); + Transformer transformer = tFactory.newTransformer(xsltSource); ByteArrayOutputStream stream = new ByteArrayOutputStream(); OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8"); @@ -1203,6 +1239,13 @@ return (new ByteArrayInputStream(stream.toByteArray())); } catch (TransformerException e) { throw new ServletException("XSL transformer error", e); + } finally { + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl(original); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader(original); + } } } @@ -1421,7 +1464,7 @@ /** * Return the xsl template inputstream (if possible) */ - protected InputStream findXsltInputStream(DirContext directory) + protected Source findXsltInputStream(DirContext directory) throws IOException, ServletException { if (localXsltFile != null) { @@ -1429,8 +1472,13 @@ Object obj = directory.lookup(localXsltFile); if ((obj != null) && (obj instanceof Resource)) { InputStream is = ((Resource) obj).streamContent(); - if (is != null) - return is; + if (is != null) { + if (Globals.IS_SECURITY_ENABLED) { + return secureXslt(is); + } else { + return new StreamSource(is); + } + } } } catch (NamingException e) { if (debug > 10) @@ -1443,20 +1491,24 @@ /* Open and read in file in one fell swoop to reduce chance * chance of leaving handle open. */ - if (globalXsltFile!=null) { - FileInputStream fis = null; - - try { - File f = new File(globalXsltFile); - if (f.exists()){ - fis =new FileInputStream(f); + if (globalXsltFile != null) { + File f = validateGlobalXsltFile(); + if (f != null){ + FileInputStream fis = null; + try { + fis = new FileInputStream(f); byte b[] = new byte[(int)f.length()]; /* danger! */ fis.read(b); - return new ByteArrayInputStream(b); + return new StreamSource(new ByteArrayInputStream(b)); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException ioe) { + // Ignore + } + } } - } finally { - if (fis!=null) - fis.close(); } } @@ -1465,6 +1517,90 @@ } + private File validateGlobalXsltFile() { + + File result = null; + String base = System.getProperty("catalina.base"); + + if (base != null) { + File baseConf = new File(base, "conf"); + result = validateGlobalXsltFile(baseConf); + } + + if (result == null) { + String home = System.getProperty("catalina.home"); + if (home != null && !home.equals(base)) { + File homeConf = new File(home, "conf"); + result = validateGlobalXsltFile(homeConf); + } + } + + return result; + } + + + private File validateGlobalXsltFile(File base) { + File candidate = new File(globalXsltFile); + if (!candidate.isAbsolute()) { + candidate = new File(base, globalXsltFile); + } + + if (!candidate.isFile()) { + return null; + } + + // First check that the resulting path is under the provided base + try { + if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) { + return null; + } + } catch (IOException ioe) { + return null; + } + + // Next check that an .xsl or .xslt file has been specified + String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH); + if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) { + return null; + } + + return candidate; + } + + + private Source secureXslt(InputStream is) { + // Need to filter out any external entities + Source result = null; + try { + DocumentBuilder builder = factory.newDocumentBuilder(); + builder.setEntityResolver(secureEntityResolver); + Document document = builder.parse(is); + result = new DOMSource(document); + } catch (ParserConfigurationException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (SAXException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (IOException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } finally { + if (is != null) { + try { + is.close(); + } catch (IOException e) { + // Ignore + } + } + } + return result; + } + + // -------------------------------------------------------- protected Methods @@ -2139,4 +2275,29 @@ } + /** + * This is secure in the sense that any attempt to use an external entity + * will trigger an exception. + */ + private static class SecureEntityResolver implements EntityResolver2 { + + @Override + public InputSource resolveEntity(String publicId, String systemId) + throws SAXException, IOException { + throw new SAXException("Ignored external entity " + publicId + " " + systemId); + } + + @Override + public InputSource getExternalSubset(String name, String baseURI) + throws SAXException, IOException { + throw new SAXException("Ignored external subset " + name + " " + baseURI); + } + + @Override + public InputSource resolveEntity(String name, String publicId, + String baseURI, String systemId) throws SAXException, + IOException { + throw new SAXException("Ignored external entity " + name + " " + publicId + " " + baseURI + " " + systemId); + } + } } Property changes on: branches/2.1.x/java/org/apache/catalina/servlets/DefaultServlet.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/catalina/servlets/DefaultServlet.java:2427 Modified: branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java =================================================================== --- branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-23 16:58:01 UTC (rev 2480) +++ branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -20,7 +20,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; - +import java.security.AccessController; import java.util.Iterator; import java.util.List; import java.util.jar.JarFile; @@ -31,8 +31,11 @@ import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; +import org.apache.jasper.Constants; import org.apache.jasper.JasperException; import org.apache.jasper.JspCompilationContext; +import org.apache.tomcat.util.security.PrivilegedGetTccl; +import org.apache.tomcat.util.security.PrivilegedSetTccl; import org.xml.sax.Attributes; import org.xml.sax.InputSource; import org.xml.sax.Locator; @@ -1394,30 +1397,59 @@ * * @return The SAXParser */ - private static SAXParser getSAXParser( - boolean validating, - JspDocumentParser jspDocParser) - throws Exception { + private static SAXParser getSAXParser(boolean validating, + JspDocumentParser jspDocParser) throws Exception { - SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); + ClassLoader original; + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedGetTccl pa = new PrivilegedGetTccl(); + original = AccessController.doPrivileged(pa); + } else { + original = Thread.currentThread().getContextClassLoader(); + } + try { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl( + JspDocumentParser.class.getClassLoader()); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader( + JspDocumentParser.class.getClassLoader()); + } - // Preserve xmlns attributes - factory.setFeature( - "http://xml.org/sax/features/namespace-prefixes", - true); - factory.setValidating(validating); - //factory.setFeature( - // "http://xml.org/sax/features/validation", - // validating); - - // Configure the parser - SAXParser saxParser = factory.newSAXParser(); - XMLReader xmlReader = saxParser.getXMLReader(); - xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser); - xmlReader.setErrorHandler(jspDocParser); + SAXParserFactory factory = SAXParserFactory.newInstance(); - return saxParser; + factory.setNamespaceAware(true); + // Preserve xmlns attributes + factory.setFeature( + "http://xml.org/sax/features/namespace-prefixes", true); + + factory.setValidating(validating); + if (validating) { + // Enable DTD validation + factory.setFeature("http://xml.org/sax/features/validation";, + true); + // Enable schema validation + factory.setFeature( + "http://apache.org/xml/features/validation/schema", + true); + } + + // Configure the parser + SAXParser saxParser = factory.newSAXParser(); + XMLReader xmlReader = saxParser.getXMLReader(); + xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser); + xmlReader.setErrorHandler(jspDocParser); + + return saxParser; + } finally { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl(original); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader(original); + } + } } /* Property changes on: branches/2.1.x/java/org/apache/jasper/compiler/JspDocumentParser.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java:2427 Property changes on: branches/2.1.x/java/org/apache/tomcat/util ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/tomcat/util:2427 Property changes on: branches/2.1.x/java/org/apache/tomcat/util/net/JIoEndpoint.java ___________________________________________________________________ Modified: svn:mergeinfo - /branches/7.2.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2135 + /branches/7.2.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2135 /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/JIoEndpoint.java:2427 Deleted: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-05-28 08:20:59 UTC (rev 2427) +++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -1,28 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.tomcat.util.security; - -import java.security.PrivilegedAction; - -public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> { - @Override - public ClassLoader run() { - return Thread.currentThread().getContextClassLoader(); - } -} - - Copied: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (from rev 2427, branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java) =================================================================== --- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java (rev 0) +++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.PrivilegedAction; + +public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> { + @Override + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } +} + + Deleted: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-05-28 08:20:59 UTC (rev 2427) +++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -1,34 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.tomcat.util.security; - -import java.security.PrivilegedAction; - -public class PrivilegedSetTccl implements PrivilegedAction<Void> { - - private ClassLoader cl; - - public PrivilegedSetTccl(ClassLoader cl) { - this.cl = cl; - } - - @Override - public Void run() { - Thread.currentThread().setContextClassLoader(cl); - return null; - } -} \ No newline at end of file Copied: branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (from rev 2427, branches/7.4.x/src/main/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java) =================================================================== --- branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java (rev 0) +++ branches/2.1.x/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2014-07-23 20:31:43 UTC (rev 2481) @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.PrivilegedAction; + +public class PrivilegedSetTccl implements PrivilegedAction<Void> { + + private ClassLoader cl; + + public PrivilegedSetTccl(ClassLoader cl) { + this.cl = cl; + } + + @Override + public Void run() { + Thread.currentThread().setContextClassLoader(cl); + return null; + } +} \ No newline at end of file