felix-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cziege...@apache.org
Subject svn commit: r1808973 - in /felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal: dispatch/ServletRequestWrapper.java handler/WhiteboardServletHandler.java whiteboard/WhiteboardManager.java
Date Wed, 20 Sep 2017 08:22:43 GMT
Author: cziegeler
Date: Wed Sep 20 08:22:43 2017
New Revision: 1808973

URL: http://svn.apache.org/viewvc?rev=1808973&view=rev
Log:
Start implementing file permission checks

Modified:
    felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java
    felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/handler/WhiteboardServletHandler.java
    felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/whiteboard/WhiteboardManager.java

Modified: felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java
URL: http://svn.apache.org/viewvc/felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java?rev=1808973&r1=1808972&r2=1808973&view=diff
==============================================================================
--- felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java
(original)
+++ felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/dispatch/ServletRequestWrapper.java
Wed Sep 20 08:22:43 2017
@@ -31,6 +31,8 @@ import static org.apache.felix.http.base
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
@@ -69,10 +71,10 @@ final class ServletRequestWrapper extend
     private final MultipartConfig multipartConfig;
     private Collection<Part> parts;
 
-    public ServletRequestWrapper(HttpServletRequest req,
-            ExtServletContext servletContext,
-            RequestInfo requestInfo,
-            DispatcherType type,
+    public ServletRequestWrapper(final HttpServletRequest req,
+            final ExtServletContext servletContext,
+            final RequestInfo requestInfo,
+            final DispatcherType type,
             final Long contextId,
             final boolean asyncSupported,
             final MultipartConfig multipartConfig)
@@ -362,112 +364,36 @@ final class ServletRequestWrapper extend
                 {
                     throw new IllegalStateException("Multipart not enabled for servlet.");
                 }
-                // Create a new file upload handler
-                final ServletFileUpload upload = new ServletFileUpload();
-                upload.setSizeMax(this.multipartConfig.multipartMaxRequestSize);
-                upload.setFileSizeMax(this.multipartConfig.multipartMaxFileSize);
-                upload.setFileItemFactory(new DiskFileItemFactory(this.multipartConfig.multipartThreshold,
-                        new File(this.multipartConfig.multipartLocation)));
 
-                // Parse the request
-                List<FileItem> items = null;
-                try
+                if ( System.getSecurityManager() == null )
                 {
-                    items = upload.parseRequest(new ServletRequestContext(this));
+                    handleMultipart();
                 }
-                catch (final FileUploadException fue)
+                else
                 {
-                    throw new IOException("Error parsing multipart request", fue);
-                }
-                parts = new ArrayList<Part>();
-                for(final FileItem item : items)
-                {
-                    parts.add(new Part() {
-
-                        @Override
-                        public InputStream getInputStream() throws IOException
-                        {
-                            return item.getInputStream();
-                        }
-
-                        @Override
-                        public String getContentType()
-                        {
-                            return item.getContentType();
-                        }
-
-                        @Override
-                        public String getName()
-                        {
-                            return item.getFieldName();
-                        }
-
-                        @Override
-                        public String getSubmittedFileName()
-                        {
-                            return item.getName();
-                        }
-
-                        @Override
-                        public long getSize()
-                        {
-                            return item.getSize();
-                        }
+                    final IOException ioe = AccessController.doPrivileged(new PrivilegedAction<IOException>()
+                    {
 
                         @Override
-                        public void write(String fileName) throws IOException
+                        public IOException run()
                         {
                             try
                             {
-                                item.write(new File(fileName));
-                            }
-                            catch (IOException e)
-                            {
-                                throw e;
+                                handleMultipart();
                             }
-                            catch (Exception e)
-                            {
-                                throw new IOException(e);
-                            }
-                        }
-
-                        @Override
-                        public void delete() throws IOException
-                        {
-                            item.delete();
-                        }
-
-                        @Override
-                        public String getHeader(String name)
-                        {
-                            return item.getHeaders().getHeader(name);
-                        }
-
-                        @Override
-                        public Collection<String> getHeaders(String name)
-                        {
-                            final List<String> values = new ArrayList<String>();
-                            final Iterator<String> iter = item.getHeaders().getHeaders(name);
-                            while ( iter.hasNext() )
-                            {
-                                values.add(iter.next());
-                            }
-                            return values;
-                        }
-
-                        @Override
-                        public Collection<String> getHeaderNames()
-                        {
-                            final List<String> names = new ArrayList<String>();
-                            final Iterator<String> iter = item.getHeaders().getHeaderNames();
-                            while ( iter.hasNext() )
+                            catch ( final IOException ioe)
                             {
-                                names.add(iter.next());
+                                return ioe;
                             }
-                            return names;
+                            return null;
                         }
                     });
+                    if ( ioe != null )
+                    {
+                        throw ioe;
+                    }
                 }
+
             }
             else
             {
@@ -477,6 +403,115 @@ final class ServletRequestWrapper extend
         return parts;
     }
 
+    private void handleMultipart() throws IOException
+    {
+        // Create a new file upload handler
+        final ServletFileUpload upload = new ServletFileUpload();
+        upload.setSizeMax(this.multipartConfig.multipartMaxRequestSize);
+        upload.setFileSizeMax(this.multipartConfig.multipartMaxFileSize);
+        upload.setFileItemFactory(new DiskFileItemFactory(this.multipartConfig.multipartThreshold,
+                new File(this.multipartConfig.multipartLocation)));
+
+        // Parse the request
+        List<FileItem> items = null;
+        try
+        {
+            items = upload.parseRequest(new ServletRequestContext(this));
+        }
+        catch (final FileUploadException fue)
+        {
+            throw new IOException("Error parsing multipart request", fue);
+        }
+        parts = new ArrayList<Part>();
+        for(final FileItem item : items)
+        {
+            parts.add(new Part() {
+
+                @Override
+                public InputStream getInputStream() throws IOException
+                {
+                    return item.getInputStream();
+                }
+
+                @Override
+                public String getContentType()
+                {
+                    return item.getContentType();
+                }
+
+                @Override
+                public String getName()
+                {
+                    return item.getFieldName();
+                }
+
+                @Override
+                public String getSubmittedFileName()
+                {
+                    return item.getName();
+                }
+
+                @Override
+                public long getSize()
+                {
+                    return item.getSize();
+                }
+
+                @Override
+                public void write(String fileName) throws IOException
+                {
+                    try
+                    {
+                        item.write(new File(fileName));
+                    }
+                    catch (IOException e)
+                    {
+                        throw e;
+                    }
+                    catch (Exception e)
+                    {
+                        throw new IOException(e);
+                    }
+                }
+
+                @Override
+                public void delete() throws IOException
+                {
+                    item.delete();
+                }
+
+                @Override
+                public String getHeader(String name)
+                {
+                    return item.getHeaders().getHeader(name);
+                }
+
+                @Override
+                public Collection<String> getHeaders(String name)
+                {
+                    final List<String> values = new ArrayList<String>();
+                    final Iterator<String> iter = item.getHeaders().getHeaders(name);
+                    while ( iter.hasNext() )
+                    {
+                        values.add(iter.next());
+                    }
+                    return values;
+                }
+
+                @Override
+                public Collection<String> getHeaderNames()
+                {
+                    final List<String> names = new ArrayList<String>();
+                    final Iterator<String> iter = item.getHeaders().getHeaderNames();
+                    while ( iter.hasNext() )
+                    {
+                        names.add(iter.next());
+                    }
+                    return names;
+                }
+            });
+        }
+    }
     @Override
     public Collection<Part> getParts() throws IOException, ServletException
     {

Modified: felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/handler/WhiteboardServletHandler.java
URL: http://svn.apache.org/viewvc/felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/handler/WhiteboardServletHandler.java?rev=1808973&r1=1808972&r2=1808973&view=diff
==============================================================================
--- felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/handler/WhiteboardServletHandler.java
(original)
+++ felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/handler/WhiteboardServletHandler.java
Wed Sep 20 08:22:43 2017
@@ -16,13 +16,17 @@
  */
 package org.apache.felix.http.base.internal.handler;
 
+import java.io.FilePermission;
+
 import javax.servlet.Servlet;
 
 import org.apache.felix.http.base.internal.context.ExtServletContext;
 import org.apache.felix.http.base.internal.runtime.ServletInfo;
+import org.osgi.framework.Bundle;
 import org.osgi.framework.BundleContext;
 import org.osgi.framework.ServiceObjects;
 import org.osgi.framework.ServiceReference;
+import org.osgi.service.http.runtime.dto.DTOConstants;
 
 /**
  * Servlet handler for servlets registered through the http whiteboard.
@@ -31,18 +35,55 @@ public final class WhiteboardServletHand
 {
     private final BundleContext bundleContext;
 
+    private final int multipartErrorCode;
+
     public WhiteboardServletHandler(final long contextServiceId,
             final ExtServletContext context,
             final ServletInfo servletInfo,
-            final BundleContext bundleContext)
+            final BundleContext bundleContext,
+            final Bundle httpWhiteboardBundle)
     {
         super(contextServiceId, context, servletInfo);
         this.bundleContext = bundleContext;
+        int errorCode = -1;
+        if ( this.getMultipartConfig() != null && System.getSecurityManager() !=
null )
+        {
+            final FilePermission writePerm = new FilePermission(this.getMultipartConfig().multipartLocation,
"read,write");
+            if ( servletInfo.getMultipartConfig().multipartLocation == null )
+            {
+                // default location
+                if ( !httpWhiteboardBundle.hasPermission(writePerm))
+                {
+                    errorCode = DTOConstants.FAILURE_REASON_WHITEBOARD_WRITE_TO_DEFAULT_DENIED;
+                }
+                else
+                {
+                    final FilePermission readPerm = new FilePermission(this.getMultipartConfig().multipartLocation,
"read");
+                    if ( !bundleContext.getBundle().hasPermission(readPerm) )
+                    {
+                        errorCode = DTOConstants.FAILURE_REASON_SERVLET_READ_FROM_DEFAULT_DENIED;
+                    }
+                }
+            }
+            else
+            {
+                // provided location
+                if ( !bundleContext.getBundle().hasPermission(writePerm) )
+                {
+                    errorCode = DTOConstants.FAILURE_REASON_SERVLET_WRITE_TO_LOCATION_DENIED;
+                }
+            }
+        }
+        multipartErrorCode = errorCode;
     }
 
     @Override
     public int init()
     {
+        if ( this.multipartErrorCode != -1 )
+        {
+            return this.multipartErrorCode;
+        }
         if ( this.useCount > 0 )
         {
             this.useCount++;

Modified: felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/whiteboard/WhiteboardManager.java
URL: http://svn.apache.org/viewvc/felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/whiteboard/WhiteboardManager.java?rev=1808973&r1=1808972&r2=1808973&view=diff
==============================================================================
--- felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/whiteboard/WhiteboardManager.java
(original)
+++ felix/trunk/osgi-r7/http/base/src/main/java/org/apache/felix/http/base/internal/whiteboard/WhiteboardManager.java
Wed Sep 20 08:22:43 2017
@@ -32,7 +32,6 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.atomic.AtomicBoolean;
 
 import javax.annotation.Nonnull;
 import javax.servlet.FilterChain;
@@ -681,7 +680,7 @@ public final class WhiteboardManager
         		final boolean patternIsEmpty = servletInfo.getPatterns() == null || servletInfo.getPatterns().length
== 0;
         		if ( !nameIsEmpty || !errorPageIsEmpty )
         		{
-        			if ( patternIsEmpty ) 
+        			if ( patternIsEmpty )
         			{
         				// no pattern, so this is valid
         				return -1;
@@ -691,7 +690,7 @@ public final class WhiteboardManager
         		// pattern is invalid, regardless of the other values
                 this.failureStateHandler.addFailure(info, HttpServiceFactory.HTTP_SERVICE_CONTEXT_SERVICE_ID,
DTOConstants.FAILURE_REASON_VALIDATION_FAILED);
 
-                return DTOConstants.FAILURE_REASON_VALIDATION_FAILED;        		
+                return DTOConstants.FAILURE_REASON_VALIDATION_FAILED;
         	}
         }
 
@@ -782,7 +781,8 @@ public final class WhiteboardManager
                         handler.getContextInfo().getServiceId(),
                         servletContext,
                         (ServletInfo)info,
-                        handler.getBundleContext());
+                        handler.getBundleContext(),
+                        this.httpBundleContext.getBundle());
                     handler.getRegistry().registerServlet(servletHandler);
                 }
             }
@@ -983,7 +983,7 @@ public final class WhiteboardManager
      * @throws IOException
      * @throws ServletException
      */
-    public void invokePreprocessors(final HttpServletRequest req, 
+    public void invokePreprocessors(final HttpServletRequest req,
     		final HttpServletResponse res,
     		final Preprocessor dispatcher)
     throws ServletException, IOException
@@ -999,16 +999,16 @@ public final class WhiteboardManager
 	        final FilterChain chain = new FilterChain()
 	        {
 	        	private int index = 0;
-	
+
 	            @Override
 	            public void doFilter(final ServletRequest request, final ServletResponse response)
 	            throws IOException, ServletException
 	            {
-	            	if ( index == localHandlers.size() ) 
+	            	if ( index == localHandlers.size() )
 	            	{
 	            		dispatcher.doFilter(request, response, null);
 	            	}
-	            	else 
+	            	else
 	            	{
 	            		final PreprocessorHandler handler = localHandlers.get(index);
 	            		index++;



Mime
View raw message