File tomcat-8.0.36-CVE-2016-6797.patch of Package tomcat.4279
Index: java/org/apache/catalina/core/NamingContextListener.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/core/NamingContextListener.java (date 1465480394000)
+++ java/org/apache/catalina/core/NamingContextListener.java (revision )
@@ -40,6 +40,7 @@
import org.apache.catalina.ContainerEvent;
import org.apache.catalina.ContainerListener;
import org.apache.catalina.Context;
+import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
@@ -58,6 +59,7 @@
import org.apache.naming.ResourceRef;
import org.apache.naming.ServiceRef;
import org.apache.naming.TransactionRef;
+import org.apache.naming.factory.ResourceLinkFactory;
import org.apache.tomcat.util.descriptor.web.ContextEjb;
import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
import org.apache.tomcat.util.descriptor.web.ContextHandler;
@@ -325,6 +327,11 @@
registry.unregisterComponent(objectName);
}
}
+
+ javax.naming.Context global = getGlobalNamingContext();
+ if (global != null) {
+ ResourceLinkFactory.deregisterGlobalResourceAccess(global);
+ }
} finally {
objectNames.clear();
@@ -1148,9 +1155,20 @@
logger.error(sm.getString("naming.bindFailed", e));
}
+ ResourceLinkFactory.registerGlobalResourceAccess(
+ getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal());
}
+ private javax.naming.Context getGlobalNamingContext() {
+ if (container instanceof Context) {
+ Engine e = (Engine) ((Context) container).getParent().getParent();
+ return e.getService().getServer().getGlobalNamingContext();
+ }
+ return null;
+ }
+
+
/**
* Set the specified EJBs in the naming context.
*/
@@ -1251,6 +1269,7 @@
logger.error(sm.getString("naming.unbindFailed", e));
}
+ ResourceLinkFactory.deregisterGlobalResourceAccess(getGlobalNamingContext(), name);
}
Index: test/org/apache/naming/TestNamingContext.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- test/org/apache/naming/TestNamingContext.java (revision )
+++ test/org/apache/naming/TestNamingContext.java (revision )
@@ -0,0 +1,87 @@
+package org.apache.naming;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.naming.factory.ResourceLinkFactory;
+import org.apache.tomcat.util.descriptor.web.ContextEnvironment;
+import org.apache.tomcat.util.descriptor.web.ContextResourceLink;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestNamingContext extends TomcatBaseTest {
+
+ private static final String COMP_ENV = "comp/env";
+ private static final String GLOBAL_NAME = "global";
+ private static final String LOCAL_NAME = "local";
+ private static final String DATA = "Cabbage";
+
+
+ @Test
+ public void testGlobalNaming() throws Exception {
+ Tomcat tomcat = getTomcatInstance();
+ tomcat.enableNaming();
+
+ org.apache.catalina.Context ctx = tomcat.addContext("", null);
+
+ tomcat.start();
+
+ Context webappInitial = ContextBindings.getContext(ctx);
+
+ // Nothing added at the moment so should be null
+ Object obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+ Assert.assertNull(obj);
+
+ ContextEnvironment ce = new ContextEnvironment();
+ ce.setName(GLOBAL_NAME);
+ ce.setValue(DATA);
+ ce.setType(DATA.getClass().getName());
+
+ tomcat.getServer().getGlobalNamingResources().addEnvironment(ce);
+
+ // No link so still should be null
+ obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+ Assert.assertNull(obj);
+
+ // Now add a resource link to the context
+ ContextResourceLink crl = new ContextResourceLink();
+ crl.setGlobal(GLOBAL_NAME);
+ crl.setName(LOCAL_NAME);
+ crl.setType(DATA.getClass().getName());
+ ctx.getNamingResources().addResourceLink(crl);
+
+ // Link exists so should be OK now
+ obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+ Assert.assertEquals(DATA, obj);
+
+ // Try shortcut
+ ResourceLinkFactory factory = new ResourceLinkFactory();
+ ResourceLinkRef rlr = new ResourceLinkRef(DATA.getClass().getName(), GLOBAL_NAME, null, null);
+ obj = factory.getObjectInstance(rlr, null, null, null);
+ Assert.assertEquals(DATA, obj);
+
+ // Remove the link
+ ctx.getNamingResources().removeResourceLink(LOCAL_NAME);
+
+ // No link so should be null
+ obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME);
+ Assert.assertNull(obj);
+
+ // Shortcut should fail too
+ obj = factory.getObjectInstance(rlr, null, null, null);
+ Assert.assertNull(obj);
+ }
+
+
+ private Object doLookup(Context context, String name) {
+ Object result = null;
+ try {
+ result = context.lookup(name);
+ } catch (NamingException nnfe) {
+ // Ignore
+ }
+ return result;
+ }
+}
Index: java/org/apache/naming/factory/ResourceLinkFactory.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/naming/factory/ResourceLinkFactory.java (date 1465480394000)
+++ java/org/apache/naming/factory/ResourceLinkFactory.java (revision )
@@ -18,7 +18,10 @@
package org.apache.naming.factory;
+import java.util.HashMap;
import java.util.Hashtable;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
import javax.naming.Context;
import javax.naming.Name;
@@ -50,6 +53,8 @@
*/
private static Context globalContext = null;
+ private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations =
+ new ConcurrentHashMap<>();
// --------------------------------------------------------- Public Methods
@@ -69,6 +74,56 @@
}
+ public static void registerGlobalResourceAccess(Context globalContext, String localName,
+ String globalName) {
+ validateGlobalContext(globalContext);
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ Map<String,String> registrations = globalResourceRegistrations.get(cl);
+ if (registrations == null) {
+ // Web application initialization is single threaded so this is
+ // safe.
+ registrations = new HashMap<>();
+ globalResourceRegistrations.put(cl, registrations);
+ }
+ registrations.put(localName, globalName);
+ }
+
+
+ public static void deregisterGlobalResourceAccess(Context globalContext, String localName) {
+ validateGlobalContext(globalContext);
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ Map<String,String> registrations = globalResourceRegistrations.get(cl);
+ if (registrations != null) {
+ registrations.remove(localName);
+ }
+ }
+
+
+ public static void deregisterGlobalResourceAccess(Context globalContext) {
+ validateGlobalContext(globalContext);
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ globalResourceRegistrations.remove(cl);
+ }
+
+
+ private static void validateGlobalContext(Context globalContext) {
+ if (ResourceLinkFactory.globalContext != null &&
+ ResourceLinkFactory.globalContext != globalContext) {
+ throw new SecurityException("Caller provided invalid global context");
+ }
+ }
+
+
+ private static boolean validateGlobalResourceAccess(String globalName) {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ Map<String,String> registrations = globalResourceRegistrations.get(cl);
+ if (registrations != null && registrations.containsValue(globalName)) {
+ return true;
+ }
+ return false;
+ }
+
+
// -------------------------------------------------- ObjectFactory Methods
@@ -93,6 +148,12 @@
RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
if (refAddr != null) {
globalName = refAddr.getContent().toString();
+ // When running under a security manager confirm that the current
+ // web application has really been configured to access the specified
+ // global resource
+ if (!validateGlobalResourceAccess(globalName)) {
+ return null;
+ }
Object result = null;
result = globalContext.lookup(globalName);
// FIXME: Check type
