tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1820550 - in /tomcat/tc8.0.x/trunk: java/org/apache/catalina/security/SecurityClassLoad.java java/org/apache/jasper/security/SecurityClassLoad.java webapps/docs/changelog.xml
Date Mon, 08 Jan 2018 11:00:18 GMT
Author: kkolinko
Date: Mon Jan  8 11:00:17 2018
New Revision: 1820550

URL: http://svn.apache.org/viewvc?rev=1820550&view=rev
Log:
Use a loop to preload anonymous inner classes, to be safe for future changes in the code or
using a different compiler..
https://bz.apache.org/bugzilla/show_bug.cgi?id=47214

Modified:
    tomcat/tc8.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
    tomcat/tc8.0.x/trunk/java/org/apache/jasper/security/SecurityClassLoad.java
    tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=1820550&r1=1820549&r2=1820550&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java Mon Jan
 8 11:00:17 2018
@@ -53,17 +53,15 @@ public final class SecurityClassLoad {
     private static final void loadCorePackage(ClassLoader loader) throws Exception {
         final String basePackage = "org.apache.catalina.core.";
         loader.loadClass(basePackage + "AccessLogAdapter");
-        loader.loadClass(basePackage + "ApplicationContextFacade$1");
+        loadAnonymousInnerClasses(loader, basePackage + "ApplicationContextFacade");
         loader.loadClass(basePackage + "ApplicationDispatcher$PrivilegedForward");
         loader.loadClass(basePackage + "ApplicationDispatcher$PrivilegedInclude");
         loader.loadClass(basePackage + "AsyncContextImpl");
         loader.loadClass(basePackage + "AsyncContextImpl$DebugException");
-        loader.loadClass(basePackage + "AsyncContextImpl$1");
+        loadAnonymousInnerClasses(loader, basePackage + "AsyncContextImpl");
         loader.loadClass(basePackage + "AsyncListenerWrapper");
         loader.loadClass(basePackage + "ContainerBase$PrivilegedAddChild");
-        loader.loadClass(basePackage + "DefaultInstanceManager$1");
-        loader.loadClass(basePackage + "DefaultInstanceManager$2");
-        loader.loadClass(basePackage + "DefaultInstanceManager$3");
+        loadAnonymousInnerClasses(loader, basePackage + "DefaultInstanceManager");
         loader.loadClass(basePackage + "DefaultInstanceManager$AnnotationCacheEntry");
         loader.loadClass(basePackage + "DefaultInstanceManager$AnnotationCacheEntryType");
         loader.loadClass(basePackage + "ApplicationHttpRequest$AttributeNamesEnumerator");
@@ -94,7 +92,7 @@ public final class SecurityClassLoad {
     private static final void loadSessionPackage(ClassLoader loader) throws Exception {
         final String basePackage = "org.apache.catalina.session.";
         loader.loadClass(basePackage + "StandardSession");
-        loader.loadClass(basePackage + "StandardSession$1");
+        loadAnonymousInnerClasses(loader, basePackage + "StandardSession");
         loader.loadClass(basePackage + "StandardManager$PrivilegedDoUnload");
     }
 
@@ -106,7 +104,7 @@ public final class SecurityClassLoad {
 
     private static final void loadValvesPackage(ClassLoader loader) throws Exception {
         final String basePackage = "org.apache.catalina.valves.";
-        loader.loadClass(basePackage + "AbstractAccessLogValve$3");
+        loadAnonymousInnerClasses(loader, basePackage + "AbstractAccessLogValve");
     }
 
     private static final void loadWebResourcesPackage(ClassLoader loader) throws Exception
{
@@ -116,7 +114,7 @@ public final class SecurityClassLoad {
 
     private static final void loadCoyotePackage(ClassLoader loader) throws Exception {
         final String basePackage = "org.apache.coyote.";
-        loader.loadClass(basePackage + "http11.AbstractOutputBuffer$1");
+        loadAnonymousInnerClasses(loader, basePackage + "http11.AbstractOutputBuffer");
         loader.loadClass(basePackage + "http11.Constants");
         // Make sure system property is read at this point
         Class<?> clazz = loader.loadClass(basePackage + "Constants");
@@ -144,17 +142,11 @@ public final class SecurityClassLoad {
         loader.loadClass(basePackage + "ResponseFacade$SetContentTypePrivilegedAction");
         loader.loadClass(basePackage + "ResponseFacade$DateHeaderPrivilegedAction");
         loader.loadClass(basePackage + "RequestFacade$GetSessionPrivilegedAction");
-        loader.loadClass(basePackage + "ResponseFacade$1");
-        loader.loadClass(basePackage + "OutputBuffer$1");
-        loader.loadClass(basePackage + "CoyoteInputStream$1");
-        loader.loadClass(basePackage + "CoyoteInputStream$2");
-        loader.loadClass(basePackage + "CoyoteInputStream$3");
-        loader.loadClass(basePackage + "CoyoteInputStream$4");
-        loader.loadClass(basePackage + "CoyoteInputStream$5");
-        loader.loadClass(basePackage + "InputBuffer$1");
-        loader.loadClass(basePackage + "Response$1");
-        loader.loadClass(basePackage + "Response$2");
-        loader.loadClass(basePackage + "Response$3");
+        loadAnonymousInnerClasses(loader, basePackage + "ResponseFacade");
+        loadAnonymousInnerClasses(loader, basePackage + "OutputBuffer");
+        loadAnonymousInnerClasses(loader, basePackage + "CoyoteInputStream");
+        loadAnonymousInnerClasses(loader, basePackage + "InputBuffer");
+        loadAnonymousInnerClasses(loader, basePackage + "Response");
     }
 
     private static final void loadTomcatPackage(ClassLoader loader) throws Exception {
@@ -187,4 +179,14 @@ public final class SecurityClassLoad {
         loader.loadClass(basePackage + "util.security.PrivilegedGetTccl");
         loader.loadClass(basePackage + "util.security.PrivilegedSetTccl");
     }
+
+    private static final void loadAnonymousInnerClasses(ClassLoader loader, String enclosingClass)
{
+        try {
+            for (int i = 1;; i++) {
+                loader.loadClass(enclosingClass + '$' + i);
+            }
+        } catch (ClassNotFoundException ignored) {
+            //
+        }
+    }
 }

Modified: tomcat/tc8.0.x/trunk/java/org/apache/jasper/security/SecurityClassLoad.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/jasper/security/SecurityClassLoad.java?rev=1820550&r1=1820549&r2=1820550&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/jasper/security/SecurityClassLoad.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/jasper/security/SecurityClassLoad.java Mon Jan  8
11:00:17 2018
@@ -48,18 +48,7 @@ public final class SecurityClassLoad {
             loader.loadClass(basePackage + "runtime.ProtectedFunctionMapper");
 
             loader.loadClass(basePackage + "runtime.PageContextImpl");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$1");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$2");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$3");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$4");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$5");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$6");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$7");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$8");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$9");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$10");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$11");
-            loader.loadClass(basePackage + "runtime.PageContextImpl$12");
+            loadAnonymousInnerClasses(loader, basePackage + "runtime.PageContextImpl");
 
             loader.loadClass(basePackage + "runtime.JspContextWrapper");
 
@@ -68,9 +57,19 @@ public final class SecurityClassLoad {
 
             loader.loadClass(basePackage + "servlet.JspServletWrapper");
 
-            loader.loadClass(basePackage + "runtime.JspWriterImpl$1");
+            loadAnonymousInnerClasses(loader, basePackage + "runtime.JspWriterImpl");
         } catch (ClassNotFoundException ex) {
             log.error("SecurityClassLoad", ex);
         }
     }
+
+    private static final void loadAnonymousInnerClasses(ClassLoader loader, String enclosingClass)
{
+        try {
+            for (int i = 1;; i++) {
+                loader.loadClass(enclosingClass + '$' + i);
+            }
+        } catch (ClassNotFoundException ignored) {
+            //
+        }
+    }
 }

Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1820550&r1=1820549&r2=1820550&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Mon Jan  8 11:00:17 2018
@@ -47,6 +47,11 @@
 <section name="Tomcat 8.0.49 (violetagg)" rtext="In development">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        <bug>47214</bug>: Use a loop to preload anonymous inner classes
+        when running under a <code>SecurityManager</code>, to be safe for
+        future changes in the code or using a different compiler. (kkolinko)
+      </fix>
       <add>
         <bug>57619</bug>: Implement a small optimisation to how JAR URLs are
         processed to reduce the storage of duplicate String objects in memory.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message