cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util/compat Jdk11Compat.java Jdk12Support.java

Mon, 20 Aug 2001 21:22:14 -0700 

costin      01/08/20 21:44:02

  Modified:    src/share/org/apache/tomcat/util/compat Jdk11Compat.java
                        Jdk12Support.java
  Log:
  Fix a possible security problem ( if JdkCompat ends up with too many permissions,
  the previous code could allow granting them to untrusted code ).
  
  Now the priviledged call is done in the context of the caller ( you can't run without
  a context, and the only way untrusted code could get the context is via JdkCompat )
  
  Better to be safe.
  
  Revision  Changes    Path
  1.9       +5 -1      
jakarta-tomcat/src/share/org/apache/tomcat/util/compat/Jdk11Compat.java
  
  Index: Jdk11Compat.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/compat/Jdk11Compat.java,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- Jdk11Compat.java  2001/08/16 00:20:47     1.8
  +++ Jdk11Compat.java  2001/08/21 04:44:02     1.9
  @@ -93,10 +93,14 @@
        return new SimpleClassLoader( urls, parent );
       }
   
  +    public Object getAccessControlContext() throws Exception {
  +     return null;
  +    }
  +    
       /** Do a priviledged action. For java2 a wrapper will be provided
        and the AccesscController will be called.
        */
  -    public Object doPrivileged( Action action ) throws Exception {
  +    public Object doPrivileged( Action action, Object acc ) throws Exception {
        // ( using util's permissions !)
        return action.run();
       }
  
  
  
  1.6       +9 -3      
jakarta-tomcat/src/share/org/apache/tomcat/util/compat/Jdk12Support.java
  
  Index: Jdk12Support.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/compat/Jdk12Support.java,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- Jdk12Support.java 2001/08/16 00:20:47     1.5
  +++ Jdk12Support.java 2001/08/21 04:44:02     1.6
  @@ -78,8 +78,14 @@
        return URLClassLoader.newInstance( urls, parent );
       }
   
  -
  -    public Object doPrivileged( Action action ) throws Exception {
  +    public Object getAccessControlContext() throws Exception {
  +     return AccessController.getContext();
  +    }
  +    
  +    public Object doPrivileged( Action action, Object accO ) throws Exception {
  +     AccessControlContext acc=(AccessControlContext)accO;
  +     if( acc==null )
  +         throw new Exception("Invalid access control context ");
        Object proxy=action.getProxy();
        if( proxy==null ) {
            proxy=new PrivilegedProxy(action);
  @@ -88,7 +94,7 @@
   
        try {
            return AccessController.
  -             doPrivileged((PrivilegedExceptionAction)proxy);
  +             doPrivileged((PrivilegedExceptionAction)proxy, acc);
        } catch( PrivilegedActionException pe ) {
            Exception e = pe.getException();
            throw e;

Reply via email to