[Security Audit] Package protection...
HI, is somebody aware why package org.apache.coyote.* and org.apache.tomcat.* are not protected againts package insertion/access in Catalina.java. What is the reasons? Actually, classes are not available to a Webapp (the Classloader is taking care of it) but when Tomcat is embedded in an app container (or when there is a special Classloader), those classes are available :-( Actually, we only protect the following package: if( System.getSecurityManager() != null ) { String access = Security.getProperty(package.access); if( access != null access.length() 0 ) access += ,; else access = sun.,; Security.setProperty(package.access, access + org.apache.catalina.,org.apache.jasper.); String definition = Security.getProperty(package.definition); if( definition != null definition.length() 0 ) definition += ,; else definition = sun.,; Security.setProperty(package.definition, // FIX ME package javax. was removed to prevent HotSpot // fatal internal errors definition + java.,org.apache.catalina.,org.apache.jasper.); } Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Security Audit] Package protection...
IMO sealing is the best protection against insertion, and using URLClassLoader ( or making sure all the checks from URLClassLoader are reproduced ). I agree, this is a potential risk - as untrusted code may access package fields. So far I don't see any, but better to be sure. Costin Jean-Francois Arcand wrote: HI, is somebody aware why package org.apache.coyote.* and org.apache.tomcat.* are not protected againts package insertion/access in Catalina.java. What is the reasons? Actually, classes are not available to a Webapp (the Classloader is taking care of it) but when Tomcat is embedded in an app container (or when there is a special Classloader), those classes are available :-( Actually, we only protect the following package: if( System.getSecurityManager() != null ) { String access = Security.getProperty(package.access); if( access != null access.length() 0 ) access += ,; else access = sun.,; Security.setProperty(package.access, access + org.apache.catalina.,org.apache.jasper.); String definition = Security.getProperty(package.definition); if( definition != null definition.length() 0 ) definition += ,; else definition = sun.,; Security.setProperty(package.definition, // FIX ME package javax. was removed to prevent HotSpot // fatal internal errors definition + java.,org.apache.catalina.,org.apache.jasper.); } Thanks, -- Jeanfrancois -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Security Audit] Package protection...
I agree that both of those packages should be protected. Why they are not included? org.apache.coyote is most likely missing because it is a relatively new package. org.apache.util may just have been missed. The code below is in both startup/Catalina.java and startup/CatalinaService.java I will go ahead and patch this in Tomcat 4 HEAD. Regards, Glenn Jean-Francois Arcand wrote: HI, is somebody aware why package org.apache.coyote.* and org.apache.tomcat.* are not protected againts package insertion/access in Catalina.java. What is the reasons? Actually, classes are not available to a Webapp (the Classloader is taking care of it) but when Tomcat is embedded in an app container (or when there is a special Classloader), those classes are available :-( Actually, we only protect the following package: if( System.getSecurityManager() != null ) { String access = Security.getProperty(package.access); if( access != null access.length() 0 ) access += ,; else access = sun.,; Security.setProperty(package.access, access + org.apache.catalina.,org.apache.jasper.); String definition = Security.getProperty(package.definition); if( definition != null definition.length() 0 ) definition += ,; else definition = sun.,; Security.setProperty(package.definition, // FIX ME package javax. was removed to prevent HotSpot // fatal internal errors definition + java.,org.apache.catalina.,org.apache.jasper.); } Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]