tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1831003 - in /tomcat/trunk: conf/catalina.policy java/javax/servlet/http/Cookie.java test/javax/servlet/http/TestCookieRFC2109Validator.java
Date Sat, 05 May 2018 20:21:21 GMT
Author: markt
Date: Sat May  5 20:21:21 2018
New Revision: 1831003

URL: http://svn.apache.org/viewvc?rev=1831003&view=rev
Log:
Refactor to remove the need for explicit property permissions for Cookie code

Modified:
    tomcat/trunk/conf/catalina.policy
    tomcat/trunk/java/javax/servlet/http/Cookie.java
    tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java

Modified: tomcat/trunk/conf/catalina.policy
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1831003&r1=1831002&r2=1831003&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.policy (original)
+++ tomcat/trunk/conf/catalina.policy Sat May  5 20:21:21 2018
@@ -172,14 +172,6 @@ grant {
     permission java.lang.RuntimePermission
      "accessClassInPackage.org.apache.jasper.runtime.*";
 
-    // The cookie code needs these.
-    permission java.util.PropertyPermission
-     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
-    permission java.util.PropertyPermission
-     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
-    permission java.util.PropertyPermission
-     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
-
     // Applications using WebSocket need to be able to access these packages
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";

Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=1831003&r1=1831002&r2=1831003&view=diff
==============================================================================
--- tomcat/trunk/java/javax/servlet/http/Cookie.java (original)
+++ tomcat/trunk/java/javax/servlet/http/Cookie.java Sat May  5 20:21:21 2018
@@ -17,6 +17,8 @@
 package javax.servlet.http;
 
 import java.io.Serializable;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.MessageFormat;
 import java.util.BitSet;
 import java.util.Locale;
@@ -54,19 +56,66 @@ import java.util.ResourceBundle;
 public class Cookie implements Cloneable, Serializable {
 
     private static final CookieNameValidator validation;
+
     static {
+        boolean strictServletCompliance;
         boolean strictNaming;
-        String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
-        if (prop != null) {
-            strictNaming = Boolean.parseBoolean(prop);
+        boolean allowSlash;
+        String propStrictNaming;
+        String propFwdSlashIsSeparator;
+
+        if (System.getSecurityManager() == null) {
+            strictServletCompliance = Boolean.getBoolean(
+                    "org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
+            propStrictNaming = System.getProperty(
+                    "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
+            propFwdSlashIsSeparator = System.getProperty(
+                    "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
         } else {
-            strictNaming = Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
+            strictServletCompliance = AccessController.doPrivileged(
+                    new PrivilegedAction<Boolean>() {
+                        @Override
+                        public Boolean run() {
+                            return Boolean.valueOf(System.getProperty(
+                                    "org.apache.catalina.STRICT_SERVLET_COMPLIANCE"));
+                        }
+                    }
+                ).booleanValue();
+            propStrictNaming = AccessController.doPrivileged(
+                    new PrivilegedAction<String>() {
+                        @Override
+                        public String run() {
+                            return System.getProperty(
+                                    "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING");
+                        }
+                    }
+                );
+            propFwdSlashIsSeparator = AccessController.doPrivileged(
+                    new PrivilegedAction<String>() {
+                        @Override
+                        public String run() {
+                            return System.getProperty(
+                                    "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
+                        }
+                    }
+                );
         }
 
-        if (strictNaming) {
-            validation = new RFC2109Validator();
+        if (propStrictNaming == null) {
+            strictNaming = strictServletCompliance;
+        } else {
+            strictNaming = Boolean.parseBoolean(propStrictNaming);
+        }
+
+        if (propFwdSlashIsSeparator == null) {
+            allowSlash = !strictServletCompliance;
+        } else {
+            allowSlash = !Boolean.parseBoolean(propFwdSlashIsSeparator);
         }
-        else {
+
+        if (strictNaming) {
+            validation = new RFC2109Validator(allowSlash);
+        } else {
             validation = new RFC6265Validator();
         }
     }
@@ -428,15 +477,8 @@ class RFC6265Validator extends CookieNam
 }
 
 class RFC2109Validator extends RFC6265Validator {
-    RFC2109Validator() {
+    RFC2109Validator(boolean allowSlash) {
         // special treatment to allow for FWD_SLASH_IS_SEPARATOR property
-        boolean allowSlash;
-        String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR");
-        if (prop != null) {
-            allowSlash = !Boolean.parseBoolean(prop);
-        } else {
-            allowSlash = !Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE");
-        }
         if (allowSlash) {
             allowed.set('/');
         }

Modified: tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java?rev=1831003&r1=1831002&r2=1831003&view=diff
==============================================================================
--- tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java (original)
+++ tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java Sat May  5 20:21:21
2018
@@ -22,11 +22,8 @@ import org.junit.Test;
  * Basic tests for Cookie in default configuration.
  */
 public class TestCookieRFC2109Validator {
-    static {
-        System.setProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR",
"true");
-    }
 
-    private RFC2109Validator validator = new RFC2109Validator();
+    private RFC2109Validator validator = new RFC2109Validator(false);
 
     @Test
     public void actualCharactersAllowedInName() {



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message