-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 4/18/19 14:34, ma...@apache.org wrote: > This is an automated email from the ASF dual-hosted git > repository. > > markt pushed a commit to branch master in repository > https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this > push: new 3032e08 Security hardening. Avoid loading user specified > classes. 3032e08 is described below > > commit 3032e08baec63874fec292daf288c319719dfeac Author: Mark Thomas > <ma...@apache.org> AuthorDate: Thu Apr 18 19:32:57 2019 +0100 > > Security hardening. Avoid loading user specified classes. > > The user is trusted so loading a user specified class should be > safe but given it isn't necessary to load the class, avoid doing > so. Reported by Coverity scan. [...] > diff --git a/java/org/apache/tomcat/util/IntrospectionUtils.java > b/java/org/apache/tomcat/util/IntrospectionUtils.java index > 82752e4..bb954fb 100644 --- > a/java/org/apache/tomcat/util/IntrospectionUtils.java +++ > b/java/org/apache/tomcat/util/IntrospectionUtils.java @@ -433,6 > +433,28 @@ public final class IntrospectionUtils { return result; > } > > + + public static boolean isInstance(Class<?> clazz, String > type) { + if (type.equals(clazz.getName())) { + > return true; + } + + Class<?>[] ifaces = > clazz.getInterfaces(); + for (Class<?> iface : ifaces) { + > if (isInstance(iface, type)) { + return true; + > } + } + + Class<?> superClazz = > clazz.getSuperclass(); + if (superClazz == null) { + > return false; + } else { + return > isInstance(superClazz, type); + } + } + This method is basically Class.isAssignableFrom except that it works on a String argument and never instantiates the Class object it represents, right? If so, I'll add a little Javadoc because when I has read the code (without apparently reading the "Detail" text of this patch), I thought "why not just call Class.isAssignableFrom instead of all this? Is there ever any problem with primitive values, or is that never an issue? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAly/FtIACgkQHPApP6U8 pFjJYw/+Lw6As1tmjIhNI8o6F26RILrg6j3hFK6BfPC+Sq2vSuDXpeAwg74d641e rpf/RzSpt08AYDU7cEFaALGJX1+FoC/jOD5/kfQvt3blaKn+fteFXAl5w4vX6Ato y30jy4H0drdAATcHjFyvIlVD9U1YRra345kmN8ARHLkb3O8aSGYrBvWfPbe7vzLv iEkGXBp/CJj/H1Vq8KWszJ1kNtbue8HQx5NhF9UvLIWKwZQzpDHrYtBr9uyaai46 twD535AqhhjyStLqgG1+Dgq4jMjHOyABD2NY2bH0KQBbbzzJhZTLJjQuKR8HweeK U+DoypqKh606vAMmTVdc5X/6IjyxRFoXTlhGheYpQjeESLBFDKfPW1ZnV6k0BhFC kPXEJJAYZRRONaEocumWjmQ1d7nTqStfRvzLUTWwkdf7UnGheSgc7rhxLS2pFRPe il3cG1JRVxECa7GzagnTu1o+0QecaUxZKW0KNUFd9zo9l2ohvuHRwG5D96+3/CDM uHAD8T5Xpk7zkSRZ/UbympZAGjXz/trh6Srxo6Upi9HtOtN4YrsKBtWPQvWitPBg fba7r6aRGrtussjoe9FG+Gkt4vG1Mm/uhRd5gPBzUuqBK/FXIJ0jHOC/Jl8IqBq0 Rx0ptB0BQLn8BvQZTEkSPGoCFVWsAnxXdhJptPNUJTV3BPI5RBs= =alEg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
