[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #13 from Remy Maucherat --- It was fixed shortly after in 8.5.63. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #12 from Jiri Novak --- Any chance it will be fixed to 8.5? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Mark Thomas --- Fixed in: - 10.0.x for 10.0.2 onwards - 9.0.x for 9.0.43 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #10 from Remy Maucherat --- (In reply to Mark Thomas from comment #9) > The best I can up with is if path starts with "file:/" or "://" > the code jumps directly to the URI handling. I'll work on a patch. I'm > wondering how far to go optimizing the code. I'm thinking not far. Ok. Yes, I don't think it needs to be super fast since this is for loading configuration resources. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #9 from Mark Thomas --- The best I can up with is if path starts with "file:/" or "://" the code jumps directly to the URI handling. I'll work on a patch. I'm wondering how far to go optimizing the code. I'm thinking not far. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #8 from Mark Thomas --- Hmm. Thinking... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #7 from Remy Maucherat --- (In reply to Mark Thomas from comment #5) > Rémy, what if we added a > > if ("name.startsWith("file:/") { > > } > block around the File and classloader case? Essentially short circuit to URI > in that case for getResource() and getURI(). Does that help? I think that would work for the reporter but still fail for other URLs. This security check is annoying ... Maybe detect a URL scheme, like if there's ':' in the path and no '/' before it ? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #6 from Mark Thomas --- That should be: if (*!*name... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #5 from Mark Thomas --- Rémy, what if we added a if ("name.startsWith("file:/") { } block around the File and classloader case? Essentially short circuit to URI in that case for getResource() and getURI(). Does that help? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #4 from Jiri Novak --- Caused by: java.io.IOException: Failed to load keystore type [JKS] with path [file:/C:/tmp/120/key.jks] due to [access denied ("java.io.FilePermission" "C:\tmp\120\a\catalina\file:\C:\tmp\120\key.jks" "read")] at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:227) I have not found any way how to write such path to policy file so SecurityManager can accept it. permission java.io.FilePermission "file:${catalina.base}", "read"; permission java.io.FilePermission "${catalina.base}", "read"; permission java.io.FilePermission "file:${catalina.base}/", "read"; permission java.io.FilePermission "${catalina.base}/", "read"; permission java.io.FilePermission "file:${catalina.base}/-", "read"; permission java.io.FilePermission "${catalina.base}/-", "read"; permission java.io.FilePermission "file:${catalina.base}/*", "read"; permission java.io.FilePermission "${catalina.base}/*", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/-", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/*", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file:/C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file://C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file:///C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:\\tmp\\120\\a\\catalina\\file:\\C:\\tmp\\120\\key.jks", "read"; -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #3 from Remy Maucherat --- I am inching towards a WONTFIX, since the only real solution is to use URLs only. It would mean absolute file paths won't work, I believe, and this is not possible. The rest would be fine. I don't understand why "And it is impossible to create such a policy for SecurityManager", can you explain a bit more ? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #2 from Jiri Novak --- I understand but the current state is that tomcat won't start. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 Remy Maucherat changed: What|Removed |Added OS||All --- Comment #1 from Remy Maucherat --- Ok, after checking the javadoc, I can see that isAbsolute is a safe call (no security check) but isFile is not. Wrapping with a try/catch could be reasonable, however it would also hide the exception when it is legitimate and useful to have. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org