This is an automated email from the ASF dual-hosted git repository. jsedding pushed a commit to branch jsedding/SLING-13263-backport-jasper-fix in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-scripting-jsp.git
commit 8bbef90f1b6390cedd56e91444f4acdaa28552c2 Author: Julian Sedding <[email protected]> AuthorDate: Mon Jul 13 17:30:13 2026 +0200 SLING-13263 - Backport fix for CVE-2016-5018 - modified fix to avoid major API version change --- pom.xml | 2 +- .../jsp/jasper/compiler/JspRuntimeContext.java | 2 - .../jsp/jasper/runtime/JspRuntimeLibrary.java | 51 ++-------------------- .../scripting/jsp/jasper/runtime/package-info.java | 2 +- .../jsp/jasper/security/SecurityClassLoad.java | 3 -- 5 files changed, 5 insertions(+), 55 deletions(-) diff --git a/pom.xml b/pom.xml index e973bfb..06bfc2a 100644 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ </parent> <artifactId>org.apache.sling.scripting.jsp</artifactId> - <version>2.6.3-SNAPSHOT</version> + <version>2.7.0-SNAPSHOT</version> <name>Apache Sling Scripting JSP</name> <description>Support for JSP scripting</description> diff --git a/src/main/java/org/apache/sling/scripting/jsp/jasper/compiler/JspRuntimeContext.java b/src/main/java/org/apache/sling/scripting/jsp/jasper/compiler/JspRuntimeContext.java index c544c53..6fb9e29 100644 --- a/src/main/java/org/apache/sling/scripting/jsp/jasper/compiler/JspRuntimeContext.java +++ b/src/main/java/org/apache/sling/scripting/jsp/jasper/compiler/JspRuntimeContext.java @@ -185,8 +185,6 @@ public final class JspRuntimeContext { "runtime.JspFactoryImpl$PrivilegedReleasePageContext"); factory.getClass().getClassLoader().loadClass( basePackage + "runtime.JspRuntimeLibrary"); - factory.getClass().getClassLoader().loadClass( basePackage + - "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); factory.getClass().getClassLoader().loadClass( basePackage + "runtime.ServletResponseWrapperInclude"); factory.getClass().getClassLoader().loadClass( basePackage + diff --git a/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/JspRuntimeLibrary.java b/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/JspRuntimeLibrary.java index c4ca690..aa7068d 100644 --- a/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/JspRuntimeLibrary.java +++ b/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/JspRuntimeLibrary.java @@ -60,32 +60,9 @@ public class JspRuntimeLibrary { private static final String JSP_EXCEPTION = "javax.servlet.jsp.jspException"; - protected static class PrivilegedIntrospectHelper - implements PrivilegedExceptionAction { - - private Object bean; - private String prop; - private String value; - private ServletRequest request; - private String param; - private boolean ignoreMethodNF; - - PrivilegedIntrospectHelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - { - this.bean = bean; - this.prop = prop; - this.value = value; - this.request = request; - this.param = param; - this.ignoreMethodNF = ignoreMethodNF; - } - + protected static class PrivilegedIntrospectHelper implements PrivilegedExceptionAction<Object> { public Object run() throws JasperException { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - return null; + throw new UnsupportedOperationException("PrivilegedIntrospectHelper retained only for binary compatibility"); } } @@ -292,29 +269,7 @@ public class JspRuntimeLibrary { public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) - throws JasperException - { - if( Constants.IS_SECURITY_ENABLED ) { - try { - PrivilegedIntrospectHelper dp = - new PrivilegedIntrospectHelper( - bean,prop,value,request,param,ignoreMethodNF); - AccessController.doPrivileged(dp); - } catch( PrivilegedActionException pe) { - Exception e = pe.getException(); - throw (JasperException)e; - } - } else { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - } - } - - private static void internalIntrospecthelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - throws JasperException - { + throws JasperException { Method method = null; Class type = null; Class propertyEditorClass = null; diff --git a/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/package-info.java b/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/package-info.java index 62839ca..61eff12 100644 --- a/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/package-info.java +++ b/src/main/java/org/apache/sling/scripting/jsp/jasper/runtime/package-info.java @@ -19,7 +19,7 @@ /** * This package should only be used by compiled JSP scripts when being executed on the platform. */ -@Version("2.5.0") +@Version("2.6.0") package org.apache.sling.scripting.jsp.jasper.runtime; import org.osgi.annotation.versioning.Version; diff --git a/src/main/java/org/apache/sling/scripting/jsp/jasper/security/SecurityClassLoad.java b/src/main/java/org/apache/sling/scripting/jsp/jasper/security/SecurityClassLoad.java index 03c931e..59e0b29 100644 --- a/src/main/java/org/apache/sling/scripting/jsp/jasper/security/SecurityClassLoad.java +++ b/src/main/java/org/apache/sling/scripting/jsp/jasper/security/SecurityClassLoad.java @@ -46,9 +46,6 @@ public final class SecurityClassLoad { loader.loadClass( basePackage + "runtime.JspRuntimeLibrary"); - loader.loadClass( basePackage + - "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); - loader.loadClass( basePackage + "runtime.ServletResponseWrapperInclude"); loader.loadClass( basePackage +
