rpms / velocity

Clone
Source Code
GIT

Blame SOURCES/0003-CVE-2020-13936.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8-beta-stream-10.6 c8-beta-stream-201801 c8-stream-10.6 c8-stream-201801 c8-stream-201902 c8s-stream-10.6 c8s-stream-201801 c8s-stream-201902 c9 c9-beta
  1.   051f731aa825f95eefcb76f46484b12b6a49147b
  2.   SOURCES
  3.   0003-CVE-2020-13936.patch
Blob History Raw
051f73 
From 3be84770e7fbe6f000f0c002905e86fe1412d551 Mon Sep 17 00:00:00 2001
051f73 
From: Marian Koncek <mkoncek@redhat.com>
051f73 
Date: Thu, 11 Mar 2021 16:22:50 +0100
051f73 
Subject: [PATCH] CVE-2020-13936
051f73
051f73 
From upstream patches:
051f73 
https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
051f73 
https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4
051f73 
https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e
051f73
051f73 
---
051f73 
 .../velocity/runtime/defaults/velocity.properties | 15 ++++++++++-----
051f73 
 .../introspection/SecureIntrospectorImpl.java     |  9 +++++++++
051f73 
 2 files changed, 19 insertions(+), 5 deletions(-)
051f73
051f73 
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
051f73 
index 855118b..a8a9231 100644
051f73 
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
051f73 
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
051f73 
@@ -245,15 +245,16 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
051f73 
 # accessed.
051f73 
 # ----------------------------------------------------------------------------
051f73
051f73 
+# Prohibit reflection
051f73 
 introspector.restrict.packages = java.lang.reflect
051f73
051f73 
 # The two most dangerous classes
051f73 
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
051f73
051f73 
-introspector.restrict.classes = java.lang.Class
051f73 
-introspector.restrict.classes = java.lang.ClassLoader
051f73 
-
051f73 
-# Restrict these for extra safety
051f73 
+# Restrict these system classes.  Note that anything in this list is matched exactly.
051f73 
+# (Subclasses must be explicitly named to be included).
051f73
051f73 
+introspector.restrict.classes = java.lang.Class
051f73 
 introspector.restrict.classes = java.lang.Compiler
051f73 
 introspector.restrict.classes = java.lang.InheritableThreadLocal
051f73 
 introspector.restrict.classes = java.lang.Package
051f73 
@@ -262,8 +263,12 @@ introspector.restrict.classes = java.lang.Runtime
051f73 
 introspector.restrict.classes = java.lang.RuntimePermission
051f73 
 introspector.restrict.classes = java.lang.SecurityManager
051f73 
 introspector.restrict.classes = java.lang.System
051f73 
-introspector.restrict.classes = java.lang.Thread
051f73 
 introspector.restrict.classes = java.lang.ThreadGroup
051f73 
 introspector.restrict.classes = java.lang.ThreadLocal
051f73
051f73 
+# Restrict instance managers for common servlet containers  (Tomcat, JBoss, Jetty)
051f73
051f73 
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
051f73 
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
051f73 
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
051f73 
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
051f73 
diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
051f73 
index f317b1c..25fc84d 100644
051f73 
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
051f73 
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
051f73 
@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
051f73 
             return true;
051f73 
         }
051f73
051f73 
+       /**
051f73 
+       * Always disallow ClassLoader, Thread and subclasses
051f73 
+       */
051f73 
+        if (ClassLoader.class.isAssignableFrom(clazz) ||
051f73 
+                Thread.class.isAssignableFrom(clazz))
051f73 
+        {
051f73 
+            return false;
051f73 
+        }
051f73 
+
051f73 
         /**
051f73 
          * check the classname (minus any array info)
051f73 
          * whether it matches disallowed classes or packages
051f73 
--
051f73 
2.29.2
051f73

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation