From dev-return-190632-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Sat May 5 22:21:25 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 49CDF180671 for ; Sat, 5 May 2018 22:21:24 +0200 (CEST) Received: (qmail 43584 invoked by uid 500); 5 May 2018 20:21:22 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 43574 invoked by uid 99); 5 May 2018 20:21:22 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 May 2018 20:21:22 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 199013A00AF for ; Sat, 5 May 2018 20:21:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1831003 - in /tomcat/trunk: conf/catalina.policy java/javax/servlet/http/Cookie.java test/javax/servlet/http/TestCookieRFC2109Validator.java Date: Sat, 05 May 2018 20:21:21 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20180505202122.199013A00AF@svn01-us-west.apache.org> Author: markt Date: Sat May 5 20:21:21 2018 New Revision: 1831003 URL: http://svn.apache.org/viewvc?rev=1831003&view=rev Log: Refactor to remove the need for explicit property permissions for Cookie code Modified: tomcat/trunk/conf/catalina.policy tomcat/trunk/java/javax/servlet/http/Cookie.java tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java Modified: tomcat/trunk/conf/catalina.policy URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1831003&r1=1831002&r2=1831003&view=diff ============================================================================== --- tomcat/trunk/conf/catalina.policy (original) +++ tomcat/trunk/conf/catalina.policy Sat May 5 20:21:21 2018 @@ -172,14 +172,6 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; - // The cookie code needs these. - permission java.util.PropertyPermission - "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; - // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; Modified: tomcat/trunk/java/javax/servlet/http/Cookie.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Cookie.java?rev=1831003&r1=1831002&r2=1831003&view=diff ============================================================================== --- tomcat/trunk/java/javax/servlet/http/Cookie.java (original) +++ tomcat/trunk/java/javax/servlet/http/Cookie.java Sat May 5 20:21:21 2018 @@ -17,6 +17,8 @@ package javax.servlet.http; import java.io.Serializable; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.text.MessageFormat; import java.util.BitSet; import java.util.Locale; @@ -54,19 +56,66 @@ import java.util.ResourceBundle; public class Cookie implements Cloneable, Serializable { private static final CookieNameValidator validation; + static { + boolean strictServletCompliance; boolean strictNaming; - String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); - if (prop != null) { - strictNaming = Boolean.parseBoolean(prop); + boolean allowSlash; + String propStrictNaming; + String propFwdSlashIsSeparator; + + if (System.getSecurityManager() == null) { + strictServletCompliance = Boolean.getBoolean( + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); + propStrictNaming = System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); + propFwdSlashIsSeparator = System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); } else { - strictNaming = Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); + strictServletCompliance = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public Boolean run() { + return Boolean.valueOf(System.getProperty( + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE")); + } + } + ).booleanValue(); + propStrictNaming = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public String run() { + return System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); + } + } + ); + propFwdSlashIsSeparator = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public String run() { + return System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); + } + } + ); } - if (strictNaming) { - validation = new RFC2109Validator(); + if (propStrictNaming == null) { + strictNaming = strictServletCompliance; + } else { + strictNaming = Boolean.parseBoolean(propStrictNaming); + } + + if (propFwdSlashIsSeparator == null) { + allowSlash = !strictServletCompliance; + } else { + allowSlash = !Boolean.parseBoolean(propFwdSlashIsSeparator); } - else { + + if (strictNaming) { + validation = new RFC2109Validator(allowSlash); + } else { validation = new RFC6265Validator(); } } @@ -428,15 +477,8 @@ class RFC6265Validator extends CookieNam } class RFC2109Validator extends RFC6265Validator { - RFC2109Validator() { + RFC2109Validator(boolean allowSlash) { // special treatment to allow for FWD_SLASH_IS_SEPARATOR property - boolean allowSlash; - String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); - if (prop != null) { - allowSlash = !Boolean.parseBoolean(prop); - } else { - allowSlash = !Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); - } if (allowSlash) { allowed.set('/'); } Modified: tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java?rev=1831003&r1=1831002&r2=1831003&view=diff ============================================================================== --- tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java (original) +++ tomcat/trunk/test/javax/servlet/http/TestCookieRFC2109Validator.java Sat May 5 20:21:21 2018 @@ -22,11 +22,8 @@ import org.junit.Test; * Basic tests for Cookie in default configuration. */ public class TestCookieRFC2109Validator { - static { - System.setProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "true"); - } - private RFC2109Validator validator = new RFC2109Validator(); + private RFC2109Validator validator = new RFC2109Validator(false); @Test public void actualCharactersAllowedInName() { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org