~ubuntu-branches/ubuntu/maverick/tomcat6/maverick

Viewing changes to .pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet/JasperLoader.java

Committer: Bazaar Package Importer
Author(s): Torsten Werner
Date: 2010-06-28 21:41:31 UTC
mfrom: (2.2.15 sid)
Revision ID: james.westby@ubuntu.com-20100628214131-3wktukpb3lgdf83h

Tags: 6.0.26-5

http://bugs.debian.org/587447

* Convert patches to dep3 format.
* Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
* Set urgency to medium due to the security fix.

files added:
.pc/0001-set-UTF-8-as-default-character-encoding.patch

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf/server.xml

.pc/0002-do-not-load-AJP13-connector-by-default.patch

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf/server.xml

.pc/0003-disable-APR-library-loading.patch

.pc/0003-disable-APR-library-loading.patch/conf

.pc/0003-disable-APR-library-loading.patch/conf/server.xml

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch/build.xml

.pc/0005-change-default-DBCP-factory-class.patch

.pc/0005-change-default-DBCP-factory-class.patch/java

.pc/0005-change-default-DBCP-factory-class.patch/java/org

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory/Constants.java

.pc/0005-change-default-DBCP-factory-class.patch/webapps

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs/jndi-resources-howto.xml

.pc/0006-add-JARs-below-var-to-class-loader.patch

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf/catalina.properties

.pc/0007-add-OSGi-headers-to-servlet-api.patch

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF/servlet-api.jar.manifest

.pc/0008-add-OSGI-headers-to-jsp-api.patch

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF/jsp-api.jar.manifest

.pc/0009-allow-empty-PID-file.patch

.pc/0009-allow-empty-PID-file.patch/bin

.pc/0009-allow-empty-PID-file.patch/bin/catalina.sh

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet/JasperLoader.java

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin/catalina.sh

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/AuthenticatorBase.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/BasicAuthenticator.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/DigestAuthenticator.java

debian/patches/0001-set-UTF-8-as-default-character-encoding.patch

debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

debian/patches/0003-disable-APR-library-loading.patch

debian/patches/0004-split-deploy-webapps-target-from-deploy-target.patch

debian/patches/0005-change-default-DBCP-factory-class.patch

debian/patches/0006-add-JARs-below-var-to-class-loader.patch

debian/patches/0007-add-OSGi-headers-to-servlet-api.patch

debian/patches/0008-add-OSGI-headers-to-jsp-api.patch

debian/patches/0009-allow-empty-PID-file.patch

debian/patches/0010-avoid-deadlock-in-WebappClassLoader.patch

debian/patches/0011-Use-java.security.policy-file-in-catalina.sh.patch

debian/patches/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

files removed:
.pc/allow-empty-pid-file.patch

.pc/allow-empty-pid-file.patch/bin

.pc/allow-empty-pid-file.patch/bin/catalina.sh

.pc/default-encoding-utf8.patch

.pc/default-encoding-utf8.patch/conf

.pc/default-encoding-utf8.patch/conf/server.xml

.pc/deploy-webapps-build-xml.patch

.pc/deploy-webapps-build-xml.patch/build.xml

.pc/disable-ajp-connector.patch

.pc/disable-ajp-connector.patch/conf

.pc/disable-ajp-connector.patch/conf/server.xml

.pc/disable-apr-loading.patch

.pc/disable-apr-loading.patch/conf

.pc/disable-apr-loading.patch/conf/server.xml

.pc/jsp-api-OSGi.patch

.pc/jsp-api-OSGi.patch/res

.pc/jsp-api-OSGi.patch/res/META-INF

.pc/jsp-api-OSGi.patch/res/META-INF/jsp-api.jar.manifest

.pc/servlet-api-OSGi.patch

.pc/servlet-api-OSGi.patch/res

.pc/servlet-api-OSGi.patch/res/META-INF

.pc/servlet-api-OSGi.patch/res/META-INF/servlet-api.jar.manifest

.pc/use-commons-dbcp.patch

.pc/use-commons-dbcp.patch/java

.pc/use-commons-dbcp.patch/java/org

.pc/use-commons-dbcp.patch/java/org/apache

.pc/use-commons-dbcp.patch/java/org/apache/naming

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory/Constants.java

.pc/use-commons-dbcp.patch/webapps

.pc/use-commons-dbcp.patch/webapps/docs

.pc/use-commons-dbcp.patch/webapps/docs/jndi-resources-howto.xml

.pc/var_loaders.patch

.pc/var_loaders.patch/conf

.pc/var_loaders.patch/conf/catalina.properties

.pc/webapp-classloader-deadlock-fix.patch

.pc/webapp-classloader-deadlock-fix.patch/java

.pc/webapp-classloader-deadlock-fix.patch/java/org

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet/JasperLoader.java

debian/patches/allow-empty-pid-file.patch

debian/patches/default-encoding-utf8.patch

debian/patches/deploy-webapps-build-xml.patch

debian/patches/disable-ajp-connector.patch

debian/patches/disable-apr-loading.patch

debian/patches/jsp-api-OSGi.patch

debian/patches/servlet-api-OSGi.patch

debian/patches/use-commons-dbcp.patch

debian/patches/var_loaders.patch

debian/patches/webapp-classloader-deadlock-fix.patch

files modified:
.pc/applied-patches

bin/catalina.sh

debian/changelog

debian/control

debian/patches/series

debian/tomcat6.init

debian/tomcat6.postinst

java/org/apache/catalina/authenticator/AuthenticatorBase.java

java/org/apache/catalina/authenticator/BasicAuthenticator.java

java/org/apache/catalina/authenticator/DigestAuthenticator.java

Show diffs side-by-side

added added

removed removed

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet/JasperLoader.java

* Licensed to the Apache Software Foundation (ASF) under one or more

* contributor license agreements. See the NOTICE file distributed with

* this work for additional information regarding copyright ownership.

* The ASF licenses this file to You under the Apache License, Version 2.0

* (the "License"); you may not use this file except in compliance with

* the License. You may obtain a copy of the License at

* http://www.apache.org/licenses/LICENSE-2.0

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

package org.apache.jasper.servlet;

import java.io.IOException;

import java.io.InputStream;

import java.net.URL;

import java.net.URLClassLoader;

import java.security.CodeSource;

import java.security.PermissionCollection;

import org.apache.jasper.Constants;

/**

* Class loader for loading servlet class files (corresponding to JSP files)

* and tag handler class files (corresponding to tag files).

* @author Anil K. Vijendran

* @author Harish Prabandham

* @author Jean-Francois Arcand

public class JasperLoader extends URLClassLoader {

private PermissionCollection permissionCollection;

private CodeSource codeSource;

private String className;

private ClassLoader parent;

private SecurityManager securityManager;

public JasperLoader(URL[] urls, ClassLoader parent,

PermissionCollection permissionCollection,

CodeSource codeSource) {

super(urls, parent);

this.permissionCollection = permissionCollection;

this.codeSource = codeSource;

this.parent = parent;

this.securityManager = System.getSecurityManager();

}

/**

* Load the class with the specified name. This method searches for

* classes in the same manner as <code>loadClass(String, boolean)</code>

* with <code>false</code> as the second argument.

* @param name Name of the class to be loaded

* @exception ClassNotFoundException if the class was not found

public Class loadClass(String name) throws ClassNotFoundException {

return (loadClass(name, false));

}

/**

* Load the class with the specified name, searching using the following

* algorithm until it finds and returns the class. If the class cannot

* be found, returns <code>ClassNotFoundException</code>.

* <ul>

* <li>Call <code>findLoadedClass(String)</code> to check if the

* class has already been loaded. If it has, the same

* <code>Class</code> object is returned.</li>

* <li>If the <code>delegate</code> property is set to <code>true</code>,

* call the <code>loadClass()</code> method of the parent class

* loader, if any.</li>

* <li>Call <code>findClass()</code> to find this class in our locally

* defined repositories.</li>

* <li>Call the <code>loadClass()</code> method of our parent

* class loader, if any.</li>

* </ul>

* If the class was found using the above steps, and the

* <code>resolve</code> flag is <code>true</code>, this method will then

* call <code>resolveClass(Class)</code> on the resulting Class object.

* @param name Name of the class to be loaded

* @param resolve If <code>true</code> then resolve the class

* @exception ClassNotFoundException if the class was not found

public Class loadClass(final String name, boolean resolve)

throws ClassNotFoundException {

Class clazz = null;

// (0) Check our previously loaded class cache

100

clazz = findLoadedClass(name);

101

if (clazz != null) {

102

if (resolve)

103

resolveClass(clazz);

104

return (clazz);

105

}

106

107

// (.5) Permission to access this class when using a SecurityManager

108

if (securityManager != null) {

109

int dot = name.lastIndexOf('.');

110

if (dot >= 0) {

111

try {

112

// Do not call the security manager since by default, we grant that package.

113

if (!"org.apache.jasper.runtime".equalsIgnoreCase(name.substring(0,dot))){

114

securityManager.checkPackageAccess(name.substring(0,dot));

115

}

116

} catch (SecurityException se) {

117

String error = "Security Violation, attempt to use " +

118

"Restricted Class: " + name;

119

se.printStackTrace();

120

throw new ClassNotFoundException(error);

121

}

122

}

123

}

124

125

if( !name.startsWith(Constants.JSP_PACKAGE_NAME + '.') ) {

126

// Class is not in org.apache.jsp, therefore, have our

127

// parent load it

128

clazz = parent.loadClass(name);

129

if( resolve )

130

resolveClass(clazz);

131

return clazz;

132

}

133

134

return findClass(name);

135

}

136

137

138

/**

139

* Delegate to parent

140

141

* @see java.lang.ClassLoader#getResourceAsStream(java.lang.String)

142

143

public InputStream getResourceAsStream(String name) {

144

InputStream is = parent.getResourceAsStream(name);

145

if (is == null) {

146

URL url = findResource(name);

147

if (url != null) {

148

try {

149

is = url.openStream();

150

} catch (IOException e) {

151

is = null;

152

}

153

}

154

}

155

return is;

156

}

157

158

159

/**

160

* Get the Permissions for a CodeSource.

161

162

* Since this ClassLoader is only used for a JSP page in

163

* a web application context, we just return our preset

164

* PermissionCollection for the web app context.

165

166

* @param codeSource Code source where the code was loaded from

167

* @return PermissionCollection for CodeSource

168

169

public final PermissionCollection getPermissions(CodeSource codeSource) {

170

return permissionCollection;

171

}

172

}

b'\\ No newline at end of file'

Older »