This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push: new d2e079f Fix BZ 64488. Correct ImportHandler failures under a security manager d2e079f is described below commit d2e079ff75cba8c1936874e7f1a8244de08d67f2 Author: Mark Thomas <ma...@apache.org> AuthorDate: Tue Jun 2 23:54:49 2020 +0100 Fix BZ 64488. Correct ImportHandler failures under a security manager https://bz.apache.org/bugzilla/show_bug.cgi?id=64488 Patch provided by Volodymyr Siedleck --- java/jakarta/el/ImportHandler.java | 39 ++++++++++++++++++++++++++++++++++++-- webapps/docs/changelog.xml | 5 +++++ 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/java/jakarta/el/ImportHandler.java b/java/jakarta/el/ImportHandler.java index 1e7e9b9..c4d62d2 100644 --- a/java/jakarta/el/ImportHandler.java +++ b/java/jakarta/el/ImportHandler.java @@ -19,6 +19,8 @@ package jakarta.el; import java.lang.reflect.Field; import java.lang.reflect.Method; import java.lang.reflect.Modifier; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; @@ -31,6 +33,8 @@ import java.util.concurrent.ConcurrentHashMap; */ public class ImportHandler { + private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); + private static final Map<String,Set<String>> standardPackages = new HashMap<>(); static { @@ -452,8 +456,18 @@ public class ImportHandler { * for the case where the class does exist is a lot less than the * overhead we save by not calling loadClass(). */ - if (cl.getResource(path) == null) { - return null; + if (IS_SECURITY_ENABLED) { + // Webapps don't have read permission for JAVA_HOME (and + // possibly other sources of classes). Only need to know if the + // class exists at this point. Class loading occurs with + // standard SecurityManager policy next. + if (!AccessController.doPrivileged(new PrivilegedResourceExists(cl, path)).booleanValue()) { + return null; + } + } else { + if (cl.getResource(path) == null) { + return null; + } } } catch (ClassCircularityError cce) { // May happen under a security manager. Ignore it and try loading @@ -489,4 +503,25 @@ public class ImportHandler { */ private static class NotFound { } + + + private static class PrivilegedResourceExists implements PrivilegedAction<Boolean> { + + private final ClassLoader cl; + private final String name; + + public PrivilegedResourceExists(ClassLoader cl, String name) { + this.cl = cl; + this.name = name; + } + + @Override + public Boolean run() { + if (cl.getResource(name) == null) { + return Boolean.FALSE; + } else { + return Boolean.TRUE; + } + } + } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index b6d47ce..b3c1546 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -119,6 +119,11 @@ endpoint path is specified and catch invalid endpoint paths earlier. (markt) </fix> + <fix> + <bug>64488</bug>: Ensure that the ImportHandler from the Expression + Language API is able to load classes from the Java runtime when running + under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) + </fix> </changelog> </subsection> <subsection name="Other"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org