tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: [Security Audit] Package protection...
Date Tue, 15 Oct 2002 20:33:02 GMT
I agree that both of those packages should be protected.
Why they are not included?  org.apache.coyote is most likely missing
because it is a relatively new package.  org.apache.util may just have
been missed.

The code below is in both startup/Catalina.java and startup/CatalinaService.java

I will go ahead and patch this in Tomcat 4 HEAD.

Regards,

Glenn

Jean-Francois Arcand wrote:
> HI,
> 
> is somebody aware why package org.apache.coyote.* and 
> org.apache.tomcat.* are not protected againts package insertion/access 
> in Catalina.java. What is the reasons? Actually, classes are not 
> available to a Webapp (the Classloader is taking care of it) but when 
> Tomcat is embedded in an app container (or when there is a special 
> Classloader), those classes are available :-(
> 
> Actually, we only protect the following package:
> 
>        if( System.getSecurityManager() != null ) {
>            String access = Security.getProperty("package.access");
>            if( access != null && access.length() > 0 )
>                access += ",";
>            else
>                access = "sun.,";
>            Security.setProperty("package.access",
>                access + "org.apache.catalina.,org.apache.jasper.");
>            String definition = Security.getProperty("package.definition");
>            if( definition != null && definition.length() > 0 )
>                definition += ",";
>            else
>                definition = "sun.,";
>            Security.setProperty("package.definition",
>                // FIX ME package "javax." was removed to prevent HotSpot
>                // fatal internal errors
>                definition + 
> "java.,org.apache.catalina.,org.apache.jasper.");
>        }
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-dev-help@jakarta.apache.org>


-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message