[Security Audit] Package protection...
HI,
is somebody aware why package org.apache.coyote.* and
org.apache.tomcat.* are not protected againts package insertion/access
in Catalina.java. What is the reasons? Actually, classes are not
available to a Webapp (the Classloader is taking care of it) but when
Tomcat is embedded in an app container (or when there is a special
Classloader), those classes are available :-(
Actually, we only protect the following package:
if( System.getSecurityManager() != null ) {
String access = Security.getProperty(package.access);
if( access != null access.length() 0 )
access += ,;
else
access = sun.,;
Security.setProperty(package.access,
access + org.apache.catalina.,org.apache.jasper.);
String definition = Security.getProperty(package.definition);
if( definition != null definition.length() 0 )
definition += ,;
else
definition = sun.,;
Security.setProperty(package.definition,
// FIX ME package javax. was removed to prevent HotSpot
// fatal internal errors
definition +
java.,org.apache.catalina.,org.apache.jasper.);
}
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Security Audit] Package protection...
IMO sealing is the best protection against insertion,
and using URLClassLoader ( or making sure all the checks from
URLClassLoader are reproduced ).
I agree, this is a potential risk - as untrusted code may access
package fields. So far I don't see any, but better to be sure.
Costin
Jean-Francois Arcand wrote:
HI,
is somebody aware why package org.apache.coyote.* and
org.apache.tomcat.* are not protected againts package insertion/access
in Catalina.java. What is the reasons? Actually, classes are not
available to a Webapp (the Classloader is taking care of it) but when
Tomcat is embedded in an app container (or when there is a special
Classloader), those classes are available :-(
Actually, we only protect the following package:
if( System.getSecurityManager() != null ) {
String access = Security.getProperty(package.access);
if( access != null access.length() 0 )
access += ,;
else
access = sun.,;
Security.setProperty(package.access,
access + org.apache.catalina.,org.apache.jasper.);
String definition =
Security.getProperty(package.definition); if( definition !=
null definition.length() 0 )
definition += ,;
else
definition = sun.,;
Security.setProperty(package.definition,
// FIX ME package javax. was removed to prevent HotSpot
// fatal internal errors
definition +
java.,org.apache.catalina.,org.apache.jasper.);
}
Thanks,
-- Jeanfrancois
--
Costin
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Security Audit] Package protection...
I agree that both of those packages should be protected.
Why they are not included? org.apache.coyote is most likely missing
because it is a relatively new package. org.apache.util may just have
been missed.
The code below is in both startup/Catalina.java and startup/CatalinaService.java
I will go ahead and patch this in Tomcat 4 HEAD.
Regards,
Glenn
Jean-Francois Arcand wrote:
HI,
is somebody aware why package org.apache.coyote.* and
org.apache.tomcat.* are not protected againts package insertion/access
in Catalina.java. What is the reasons? Actually, classes are not
available to a Webapp (the Classloader is taking care of it) but when
Tomcat is embedded in an app container (or when there is a special
Classloader), those classes are available :-(
Actually, we only protect the following package:
if( System.getSecurityManager() != null ) {
String access = Security.getProperty(package.access);
if( access != null access.length() 0 )
access += ,;
else
access = sun.,;
Security.setProperty(package.access,
access + org.apache.catalina.,org.apache.jasper.);
String definition = Security.getProperty(package.definition);
if( definition != null definition.length() 0 )
definition += ,;
else
definition = sun.,;
Security.setProperty(package.definition,
// FIX ME package javax. was removed to prevent HotSpot
// fatal internal errors
definition +
java.,org.apache.catalina.,org.apache.jasper.);
}
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder|
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
--
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
