Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
tomcat
tomcat-9.0-hardening_getResources.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-9.0-hardening_getResources.patch of Package tomcat
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java =================================================================== --- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/loader/WebappClassLoaderBase.java +++ apache-tomcat-9.0.36-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java @@ -426,10 +426,15 @@ public abstract class WebappClassLoaderB // ------------------------------------------------------------- Properties /** + * Unused. Always returns {@code null}. + * * @return associated resources. + * + * @deprecated This will be removed in Tomcat 10.1.x onwards */ + @Deprecated public WebResourceRoot getResources() { - return this.resources; + return null; } Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml @@ -47,6 +47,12 @@ <section name="Tomcat 9.0.36 (markt)"> <subsection name="Catalina"> <changelog> + <add> + Effectively disable the + <code>WebappClassLoaderBase.getResources()</code> method as it is not + used and if something accidently exposes the class loader this method + can be used to gain access to Tomcat internals. (markt) + </add> <fix> <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code> is given. (fschumacher)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor