File tomcat-8.0.36-CVE-2016-6794.patch of Package tomcat.4279
Index: java/org/apache/tomcat/util/security/PermissionCheck.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/tomcat/util/security/PermissionCheck.java (revision )
+++ java/org/apache/tomcat/util/security/PermissionCheck.java (revision )
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.security;
+
+import java.security.Permission;
+
+/**
+ * This interface is implemented by components to enable privileged code to
+ * check whether the component has a given permission.
+ * This is typically used when a privileged component (e.g. the container) is
+ * performing an action on behalf of an untrusted component (e.g. a web
+ * application) without the current thread having passed through a code source
+ * provided by the untrusted component. Because the current thread has not
+ * passed through a code source provided by the untrusted component the
+ * SecurityManager assumes the code is trusted so the standard checking
+ * mechanisms can't be used.
+ */
+public interface PermissionCheck {
+
+ /**
+ * Does this component have the given permission?
+ *
+ * @param permission The permission to test
+ *
+ * @return {@code false} if a SecurityManager is enabled and the component
+ * does not have the given permission, otherwise {@code false}
+ */
+ boolean check(Permission permission);
+}
+
Index: java/org/apache/catalina/loader/WebappClassLoaderBase.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/loader/WebappClassLoaderBase.java (date 1465480394000)
+++ java/org/apache/catalina/loader/WebappClassLoaderBase.java (revision )
@@ -80,6 +80,7 @@
import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.compat.JreVendor;
import org.apache.tomcat.util.res.StringManager;
+import org.apache.tomcat.util.security.PermissionCheck;
/**
* Specialized web application class loader.
@@ -125,7 +126,7 @@
* @author Craig R. McClanahan
*/
public abstract class WebappClassLoaderBase extends URLClassLoader
- implements Lifecycle, InstrumentableClassLoader, WebappProperties {
+ implements Lifecycle, InstrumentableClassLoader, WebappProperties, PermissionCheck {
private static final org.apache.juli.logging.Log log =
org.apache.juli.logging.LogFactory.getLog(WebappClassLoaderBase.class);
@@ -1383,6 +1384,24 @@
}
return (pc);
+ }
+
+
+ @Override
+ public boolean check(Permission permission) {
+ if (!Globals.IS_SECURITY_ENABLED) {
+ return true;
+ }
+ Policy currentPolicy = Policy.getPolicy();
+ if (currentPolicy != null) {
+ URL contextRootUrl = resources.getResource("/").getCodeBase();
+ CodeSource cs = new CodeSource(contextRootUrl, (Certificate[]) null);
+ PermissionCollection pc = currentPolicy.getPermissions(cs);
+ if (pc.implies(permission)) {
+ return true;
+ }
+ }
+ return false;
}
Index: java/org/apache/tomcat/util/digester/Digester.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/tomcat/util/digester/Digester.java (date 1465480394000)
+++ java/org/apache/tomcat/util/digester/Digester.java (revision )
@@ -23,11 +23,13 @@
import java.lang.reflect.InvocationTargetException;
import java.net.URI;
import java.net.URISyntaxException;
+import java.security.Permission;
import java.util.EmptyStackException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.PropertyPermission;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
@@ -37,6 +39,7 @@
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.security.PermissionCheck;
import org.xml.sax.Attributes;
import org.xml.sax.EntityResolver;
import org.xml.sax.ErrorHandler;
@@ -78,6 +81,13 @@
implements IntrospectionUtils.PropertySource {
@Override
public String getProperty( String key ) {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ if (cl instanceof PermissionCheck) {
+ Permission p = new PropertyPermission(key, "read");
+ if (!((PermissionCheck) cl).check(p)) {
+ return null;
+ }
+ }
return System.getProperty(key);
}
}
