AFAIK, the most important check is doPriviledged(). What we need
to look for is if any of those blocks could be used by 
untrusted code to do something. 

The second very important check is the facades - making sure 
untrusted code can't get access to the real objects.

We should also make sure that the facades are not reused or
are reused only inside a context.

It is nice to review all code for security and bugs ( and general
quality ) - but IMO it is more important to review first the 
critical areas.

The ClassLoader shouldn't create any major problems ( at least in
delegating mode - in non delegating mode we can only trust the 
servlet experts that they did the resarch and can guarantee there's
no security implications. I haven't heard anything convincing on this, but 
they should have this knowledge - otherwise it wouldn't be in the spec :-)


Bob Herrmann wrote:

> FYI, Just to start off, I am going to review these classes.  If
> someone else also reviews them, thats probably a good thing...
> # classes, package name
> 17 o.a.c.deploy
> 9  o.a.c.users
> 44 o.a.c.*
> 34 o.a.jk.*
> 15 j.s.http
> Briefly, I am going to look for
>  - How/if a ClassLoader is used
>  - privilege blocks (are they small, use trusted values)
>  - look for non-final static variables (can they be abused)
>  - can methods/fields be made private?
>  - are mutable objects returned to caller (especially arrays)
>    think about returning clones
>  - non final equals/hashcode methods? (accessing sensitive stuff?)
>  - Serializable (exposes private stuff?)
> Does anyone publish a security checklist list like this?
> Blah Blah,
> -bob
> On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
>> Hi,
>> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
>> would like to collect as more as information as where you think I should
>> look at (code, security hole, etc.). I'm planning to do the audit using
>> the default SecurityManager. Rigth now, I have started looking at:
>> - doPrivilege blocks. Are they small enough? Can they be reduced?
>> - JSP generated code. Are they secure? Can a malicious app uses the code
>> to access o.a.catalina code?
>> - Is catalina.policy restricted enough?
>> - Is our Classloader secure?
>> Any direction/ideas/recommendations will be appreciated.
>> Thanks,
>> -- Jeanfrancois
>> --
>> To unsubscribe, e-mail:  
>> <mailto:[EMAIL PROTECTED]> For additional
>> commands, e-mail: <mailto:[EMAIL PROTECTED]>


To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to