Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:6680
tomcat.openSUSE_Leap_42.1_Update
tomcat-8.0.32-CVE-2016-6794.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.32-CVE-2016-6794.patch of Package tomcat.openSUSE_Leap_42.1_Update
Index: java/org/apache/tomcat/util/security/PermissionCheck.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/tomcat/util/security/PermissionCheck.java (revision ) +++ java/org/apache/tomcat/util/security/PermissionCheck.java (revision ) @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.Permission; + +/** + * This interface is implemented by components to enable privileged code to + * check whether the component has a given permission. + * This is typically used when a privileged component (e.g. the container) is + * performing an action on behalf of an untrusted component (e.g. a web + * application) without the current thread having passed through a code source + * provided by the untrusted component. Because the current thread has not + * passed through a code source provided by the untrusted component the + * SecurityManager assumes the code is trusted so the standard checking + * mechanisms can't be used. + */ +public interface PermissionCheck { + + /** + * Does this component have the given permission? + * + * @param permission The permission to test + * + * @return {@code false} if a SecurityManager is enabled and the component + * does not have the given permission, otherwise {@code false} + */ + boolean check(Permission permission); +} Index: java/org/apache/catalina/loader/WebappClassLoaderBase.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/catalina/loader/WebappClassLoaderBase.java (date 1454441552000) +++ java/org/apache/catalina/loader/WebappClassLoaderBase.java (revision ) @@ -41,6 +41,7 @@ import java.security.Policy; import java.security.PrivilegedAction; import java.security.ProtectionDomain; +import java.security.cert.Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -78,6 +79,7 @@ import org.apache.tomcat.util.IntrospectionUtils; import org.apache.tomcat.util.compat.JreVendor; import org.apache.tomcat.util.res.StringManager; +import org.apache.tomcat.util.security.PermissionCheck; /** * Specialized web application class loader. @@ -123,7 +125,7 @@ * @author Craig R. McClanahan */ public abstract class WebappClassLoaderBase extends URLClassLoader - implements Lifecycle, InstrumentableClassLoader, WebappProperties { + implements Lifecycle, InstrumentableClassLoader, WebappProperties, PermissionCheck { private static final org.apache.juli.logging.Log log = org.apache.juli.logging.LogFactory.getLog(WebappClassLoaderBase.class); @@ -1424,6 +1426,24 @@ @Override public LifecycleState getState() { return state; + } + + + @Override + public boolean check(Permission permission) { + if (!Globals.IS_SECURITY_ENABLED) { + return true; + } + Policy currentPolicy = Policy.getPolicy(); + if (currentPolicy != null) { + URL contextRootUrl = resources.getResource("/").getCodeBase(); + CodeSource cs = new CodeSource(contextRootUrl, (Certificate[]) null); + PermissionCollection pc = currentPolicy.getPermissions(cs); + if (pc.implies(permission)) { + return true; + } + } + return false; } Index: java/org/apache/tomcat/util/digester/Digester.java IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- java/org/apache/tomcat/util/digester/Digester.java (date 1454441552000) +++ java/org/apache/tomcat/util/digester/Digester.java (revision ) @@ -23,11 +23,13 @@ import java.lang.reflect.InvocationTargetException; import java.net.URI; import java.net.URISyntaxException; +import java.security.Permission; import java.util.EmptyStackException; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.PropertyPermission; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; @@ -37,6 +39,7 @@ import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; import org.xml.sax.Attributes; import org.xml.sax.EntityResolver; import org.xml.sax.ErrorHandler; @@ -78,6 +81,13 @@ implements IntrospectionUtils.PropertySource { @Override public String getProperty( String key ) { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + if (cl instanceof PermissionCheck) { + Permission p = new PropertyPermission(key, "read"); + if (!((PermissionCheck) cl).check(p)) { + return null; + } + } return System.getProperty(key); } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor