rpms / tomcat

Clone
Source Code
GIT

Files

  1.   130a6056554e6bf25537f190094f0e74b505f723
  2.   SOURCES
  3.   tomcat-7.0.54-CVE-2014-7810.patch
Blob Blame History Raw 
--- java/javax/el/BeanELResolver.java.orig	2016-06-02 09:46:15.019196027 -0400
+++ java/javax/el/BeanELResolver.java	2016-06-02 09:46:15.025196055 -0400
@@ -251,15 +251,39 @@
             try {
                 BeanInfo info = Introspector.getBeanInfo(this.type);
                 PropertyDescriptor[] pds = info.getPropertyDescriptors();
-                for (int i = 0; i < pds.length; i++) {
-                    this.properties.put(pds[i].getName(), new BeanProperty(
-                            type, pds[i]));
+                for (PropertyDescriptor pd: pds) {
+                    this.properties.put(pd.getName(), new BeanProperty(type, pd));
+                }
+                if (System.getSecurityManager() != null) {
+                    // When running with SecurityManager, some classes may be
+                    // not accessible, but have accessible interfaces.
+                    populateFromInterfaces(type);
                 }
             } catch (IntrospectionException ie) {
                 throw new ELException(ie);
             }
         }
 
+        private void populateFromInterfaces(Class<?> aClass) throws IntrospectionException {
+            Class<?> interfaces[] = aClass.getInterfaces();
+            if (interfaces.length > 0) {
+                for (Class<?> ifs : interfaces) {
+                    BeanInfo info = Introspector.getBeanInfo(ifs);
+                    PropertyDescriptor[] pds = info.getPropertyDescriptors();
+                    for (PropertyDescriptor pd : pds) {
+                        if (!this.properties.containsKey(pd.getName())) {
+                            this.properties.put(pd.getName(), new BeanProperty(
+                                    this.type, pd));
+                        }
+                    }
+                }
+            }
+            Class<?> superclass = aClass.getSuperclass();
+            if (superclass != null) {
+                populateFromInterfaces(superclass);
+            }
+        }
+
         private BeanProperty get(ELContext ctx, String name) {
             BeanProperty property = this.properties.get(name);
             if (property == null) {
--- java/org/apache/jasper/runtime/PageContextImpl.java.orig	2016-06-02 09:46:15.020196032 -0400
+++ java/org/apache/jasper/runtime/PageContextImpl.java	2016-06-02 09:46:15.026196060 -0400
@@ -937,37 +937,11 @@
             final Class<?> expectedType, final PageContext pageContext,
             final ProtectedFunctionMapper functionMap, final boolean escape)
             throws ELException {
-        Object retValue;
         final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory();
-        if (SecurityUtil.isPackageProtectionEnabled()) {
-            try {
-                retValue = AccessController
-                        .doPrivileged(new PrivilegedExceptionAction<Object>() {
-
-                            @Override
-                            public Object run() throws Exception {
-                                ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
-                                ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
-                                ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
-                                return ve.getValue(ctx);
-                            }
-                        });
-            } catch (PrivilegedActionException ex) {
-                Exception realEx = ex.getException();
-                if (realEx instanceof ELException) {
-                    throw (ELException) realEx;
-                } else {
-                    throw new ELException(realEx);
-                }
-            }
-        } else {
-            ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
-            ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
-            ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
-            retValue = ve.getValue(ctx);
-        }
-
-        return retValue;
+        ELContextImpl ctx = (ELContextImpl) pageContext.getELContext();
+        ctx.setFunctionMapper(new FunctionMapperImpl(functionMap));
+        ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType);
+        return ve.getValue(ctx);
     }
 
     @Override
--- java/org/apache/jasper/security/SecurityClassLoad.java.orig	2016-06-02 09:46:15.020196032 -0400
+++ java/org/apache/jasper/security/SecurityClassLoad.java	2016-06-02 09:46:15.027196065 -0400
@@ -93,8 +93,6 @@
                 "runtime.PageContextImpl$11");      
             loader.loadClass( basePackage +
                 "runtime.PageContextImpl$12");      
-            loader.loadClass( basePackage +
-                "runtime.PageContextImpl$13");      
 
             loader.loadClass( basePackage +
                 "runtime.JspContextWrapper");   
--- webapps/docs/changelog.xml.orig	2016-06-02 09:46:15.022196041 -0400
+++ webapps/docs/changelog.xml	2016-06-02 09:48:48.443915711 -0400
@@ -55,6 +55,17 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues to not "pop up" wrt. others).
 -->
+<section name="Tomcat 7.0.54-3 (csutherl)">
+  <subsection name="Jasper">
+    <changelog>
+      <fix>
+        Fix potential issue with BeanELresolver when running under a security
+        manager. Some classes may not be accessible but may have accessible
+        interfaces. (markt)
+      </fix>
+    </changelog>
+  </subsection>
+</section>
 <section name="Tomcat 7.0.54 (violetagg)">
   <subsection name="Catalina">
     <changelog>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation