tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java
Date Tue, 06 Jan 2004 19:15:48 GMT

----- Original Message -----
From: "Jeanfrancois Arcand" <Jeanfrancois.Arcand@Sun.COM>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Cc: <jakarta-tomcat-catalina-cvs@apache.org>
Sent: Tuesday, January 06, 2004 7:40 AM
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security
SecurityClassLoad.java


>
>
> billbarker@apache.org wrote:
>
> >billbarker    2004/01/05 20:27:34
> >
> >  Modified:    catalina/src/share/org/apache/catalina/security
> >                        SecurityClassLoad.java
> >  Log:
> >  Adding classes for Coyote-Jk.
> >
> >  This addresses Bug #25819.
> >
> >  Reported By: Dario Bonino dario.bonino@rgi.it
> >
> >  Revision  Changes    Path
> >  1.12      +13 -4
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/Secu
rityClassLoad.java
> >
> >  Index: SecurityClassLoad.java
> >  ===================================================================
> >  RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/sec
urity/SecurityClassLoad.java,v
> >  retrieving revision 1.11
> >  retrieving revision 1.12
> >  diff -u -r1.11 -r1.12
> >  --- SecurityClassLoad.java 31 Oct 2003 01:30:01 -0000 1.11
> >  +++ SecurityClassLoad.java 6 Jan 2004 04:27:34 -0000 1.12
> >  @@ -90,6 +90,7 @@
> >           loadJavaxPackage(loader);
> >           loadCoyotePackage(loader);
> >           loadHttp11Package(loader);
> >  +        loadJkPackage(loader);
> >       }
> >
> >
> >  @@ -239,6 +240,14 @@
> >           loader.loadClass
> >               (basePackage +
> >                "CoyoteResponse$3");
> >  +    }
> >  +
> >  +    private final static void loadJkPackage(ClassLoader loader)
> >  +        throws Exception {
> >  +        String basePackage = "org.apache.tomcat.util.";
> >  +        loader.loadClass
> >  +            (basePackage +
> >  +             "buff.C2BConverter");
> >       }
> >
> >   }
> >
> >
> -1. That breaks the way we are implementing security. The role of this
> class is to load security related inner classes. Doing this make the
> class available for all Servlet (that break the package protection
> mechanism). You should add a doPrivileged block within the jk code
> instead and load the inner class here. Also, it is now impossible to
> protect that class using the catalina.properties if you do that.
>
> If you think C2BConverter is secure and should not be protected
> (avaiable to Servlet), add the package to the catalina.policy instead.
>

I'll revert it.  C2BC is pretty harmless (it's basically a glorified Writer
:), but it doesn't really need to be in catalina.policy.  It just seemed to
be over-kill to create a PA for one "new" statement ;).

> -- Jeanfrancois
>
>
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


Mime
View raw message