File tomcat-8.0.36-CVE-2016-6797.patch of Package tomcat.4279

Overview Repositories Revisions Requests Users Attributes Meta

File tomcat-8.0.36-CVE-2016-6797.patch of Package tomcat.4279

Index: java/org/apache/catalina/core/NamingContextListener.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/core/NamingContextListener.java	(date 1465480394000)
+++ java/org/apache/catalina/core/NamingContextListener.java	(revision )
@@ -40,6 +40,7 @@
 import org.apache.catalina.ContainerEvent;
 import org.apache.catalina.ContainerListener;
 import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
 import org.apache.catalina.Host;
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
@@ -58,6 +59,7 @@
 import org.apache.naming.ResourceRef;
 import org.apache.naming.ServiceRef;
 import org.apache.naming.TransactionRef;
+import org.apache.naming.factory.ResourceLinkFactory;
 import org.apache.tomcat.util.descriptor.web.ContextEjb;
 import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
 import org.apache.tomcat.util.descriptor.web.ContextHandler;
@@ -325,6 +327,11 @@
                         registry.unregisterComponent(objectName);
                     }
                 }
+
+                javax.naming.Context global = getGlobalNamingContext();
+                if (global != null) {
+                    ResourceLinkFactory.deregisterGlobalResourceAccess(global);
+                }
             } finally {
                 objectNames.clear();
 
@@ -1148,9 +1155,20 @@
             logger.error(sm.getString("naming.bindFailed", e));
         }
 
+        ResourceLinkFactory.registerGlobalResourceAccess(
+                getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal());
     }
 
 
+    private javax.naming.Context getGlobalNamingContext() {
+        if (container instanceof Context) {
+            Engine e = (Engine) ((Context) container).getParent().getParent();
+            return e.getService().getServer().getGlobalNamingContext();
+        }
+        return null;
+    }
+
+
     /**
      * Set the specified EJBs in the naming context.
      */
@@ -1251,6 +1269,7 @@
             logger.error(sm.getString("naming.unbindFailed", e));
         }
 
+        ResourceLinkFactory.deregisterGlobalResourceAccess(getGlobalNamingContext(), name);
     }
 
 
Index: test/org/apache/naming/TestNamingContext.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- test/org/apache/naming/TestNamingContext.java	(revision )
+++ test/org/apache/naming/TestNamingContext.java	(revision )
@@ -0,0 +1,87 @@
+package org.apache.naming;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.naming.factory.ResourceLinkFactory;
+import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
+import org.apache.tomcat.util.descriptor.web.ContextResourceLink;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestNamingContext extends TomcatBaseTest {
+
+    private static final String COMP_ENV = "comp/env";
+    private static final String GLOBAL_NAME = "global";
+    private static final String LOCAL_NAME = "local";
+    private static final String DATA = "Cabbage";
+
+
+    @Test
+    public void testGlobalNaming() throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.enableNaming();
+
+        org.apache.catalina.Context ctx = tomcat.addContext("", null);
+
+        tomcat.start();
+
+        Context webappInitial = ContextBindings.getContext(ctx);
+
+        // Nothing added at the moment so should be null
+        Object obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+        Assert.assertNull(obj);
+
+        ContextEnvironment ce = new ContextEnvironment();
+        ce.setName(GLOBAL_NAME);
+        ce.setValue(DATA);
+        ce.setType(DATA.getClass().getName());
+
+        tomcat.getServer().getGlobalNamingResources().addEnvironment(ce);
+
+        // No link so still should be null
+        obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+        Assert.assertNull(obj);
+
+        // Now add a resource link to the context
+        ContextResourceLink crl = new ContextResourceLink();
+        crl.setGlobal(GLOBAL_NAME);
+        crl.setName(LOCAL_NAME);
+        crl.setType(DATA.getClass().getName());
+        ctx.getNamingResources().addResourceLink(crl);
+
+        // Link exists so should be OK now
+        obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+        Assert.assertEquals(DATA, obj);
+
+        // Try shortcut
+        ResourceLinkFactory factory = new ResourceLinkFactory();
+        ResourceLinkRef rlr = new ResourceLinkRef(DATA.getClass().getName(), GLOBAL_NAME, null, null);
+        obj = factory.getObjectInstance(rlr, null, null, null);
+        Assert.assertEquals(DATA, obj);
+
+        // Remove the link
+        ctx.getNamingResources().removeResourceLink(LOCAL_NAME);
+
+        // No link so should be null
+        obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+        Assert.assertNull(obj);
+
+        // Shortcut should fail too
+        obj = factory.getObjectInstance(rlr, null, null, null);
+        Assert.assertNull(obj);
+    }
+
+
+    private Object doLookup(Context context, String name) {
+        Object result = null;
+        try {
+            result = context.lookup(name);
+        } catch (NamingException nnfe) {
+            // Ignore
+        }
+        return result;
+    }
+}
Index: java/org/apache/naming/factory/ResourceLinkFactory.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/naming/factory/ResourceLinkFactory.java	(date 1465480394000)
+++ java/org/apache/naming/factory/ResourceLinkFactory.java	(revision )
@@ -18,7 +18,10 @@
 
 package org.apache.naming.factory;
 
+import java.util.HashMap;
 import java.util.Hashtable;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import javax.naming.Context;
 import javax.naming.Name;
@@ -50,6 +53,8 @@
      */
     private static Context globalContext = null;
 
+    private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations =
+            new ConcurrentHashMap<>();
 
     // --------------------------------------------------------- Public Methods
 
@@ -69,6 +74,56 @@
     }
 
 
+    public static void registerGlobalResourceAccess(Context globalContext, String localName,
+            String globalName) {
+        validateGlobalContext(globalContext);
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        Map<String,String> registrations = globalResourceRegistrations.get(cl);
+        if (registrations == null) {
+            // Web application initialization is single threaded so this is
+            // safe.
+            registrations = new HashMap<>();
+            globalResourceRegistrations.put(cl, registrations);
+        }
+        registrations.put(localName, globalName);
+    }
+
+
+    public static void deregisterGlobalResourceAccess(Context globalContext, String localName) {
+        validateGlobalContext(globalContext);
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        Map<String,String> registrations = globalResourceRegistrations.get(cl);
+        if (registrations != null) {
+            registrations.remove(localName);
+        }
+    }
+
+
+    public static void deregisterGlobalResourceAccess(Context globalContext) {
+        validateGlobalContext(globalContext);
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        globalResourceRegistrations.remove(cl);
+    }
+
+
+    private static void validateGlobalContext(Context globalContext) {
+        if (ResourceLinkFactory.globalContext != null &&
+                ResourceLinkFactory.globalContext != globalContext) {
+            throw new SecurityException("Caller provided invalid global context");
+        }
+    }
+
+
+    private static boolean validateGlobalResourceAccess(String globalName) {
+        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        Map<String,String> registrations = globalResourceRegistrations.get(cl);
+        if (registrations != null && registrations.containsValue(globalName)) {
+            return true;
+        }
+        return false;
+    }
+
+
     // -------------------------------------------------- ObjectFactory Methods
 
 
@@ -93,6 +148,12 @@
         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
         if (refAddr != null) {
             globalName = refAddr.getContent().toString();
+            // When running under a security manager confirm that the current
+            // web application has really been configured to access the specified
+            // global resource
+            if (!validateGlobalResourceAccess(globalName)) {
+                return null;
+            }
             Object result = null;
             result = globalContext.lookup(globalName);
             // FIXME: Check type

Places

File tomcat-8.0.36-CVE-2016-6797.patch of Package tomcat.4279

Places