~ubuntu-branches/ubuntu/maverick/tomcat6/maverick

Viewing changes to debian/patches/webapp-classloader-deadlock-fix.patch

Committer: Bazaar Package Importer
Author(s): Torsten Werner
Date: 2010-06-28 21:41:31 UTC
mfrom: (2.2.15 sid)
Revision ID: james.westby@ubuntu.com-20100628214131-3wktukpb3lgdf83h

Tags: 6.0.26-5

http://bugs.debian.org/587447

* Convert patches to dep3 format.
* Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
* Set urgency to medium due to the security fix.

files added:
.pc/0001-set-UTF-8-as-default-character-encoding.patch

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf

.pc/0001-set-UTF-8-as-default-character-encoding.patch/conf/server.xml

.pc/0002-do-not-load-AJP13-connector-by-default.patch

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf

.pc/0002-do-not-load-AJP13-connector-by-default.patch/conf/server.xml

.pc/0003-disable-APR-library-loading.patch

.pc/0003-disable-APR-library-loading.patch/conf

.pc/0003-disable-APR-library-loading.patch/conf/server.xml

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch

.pc/0004-split-deploy-webapps-target-from-deploy-target.patch/build.xml

.pc/0005-change-default-DBCP-factory-class.patch

.pc/0005-change-default-DBCP-factory-class.patch/java

.pc/0005-change-default-DBCP-factory-class.patch/java/org

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory

.pc/0005-change-default-DBCP-factory-class.patch/java/org/apache/naming/factory/Constants.java

.pc/0005-change-default-DBCP-factory-class.patch/webapps

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs

.pc/0005-change-default-DBCP-factory-class.patch/webapps/docs/jndi-resources-howto.xml

.pc/0006-add-JARs-below-var-to-class-loader.patch

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf

.pc/0006-add-JARs-below-var-to-class-loader.patch/conf/catalina.properties

.pc/0007-add-OSGi-headers-to-servlet-api.patch

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF

.pc/0007-add-OSGi-headers-to-servlet-api.patch/res/META-INF/servlet-api.jar.manifest

.pc/0008-add-OSGI-headers-to-jsp-api.patch

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF

.pc/0008-add-OSGI-headers-to-jsp-api.patch/res/META-INF/jsp-api.jar.manifest

.pc/0009-allow-empty-PID-file.patch

.pc/0009-allow-empty-PID-file.patch/bin

.pc/0009-allow-empty-PID-file.patch/bin/catalina.sh

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet

.pc/0010-avoid-deadlock-in-WebappClassLoader.patch/java/org/apache/jasper/servlet/JasperLoader.java

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin

.pc/0011-Use-java.security.policy-file-in-catalina.sh.patch/bin/catalina.sh

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/AuthenticatorBase.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/BasicAuthenticator.java

.pc/0012-Prevent-disclosure-of-host-name-or-IP-address.patch/java/org/apache/catalina/authenticator/DigestAuthenticator.java

debian/patches/0001-set-UTF-8-as-default-character-encoding.patch

debian/patches/0002-do-not-load-AJP13-connector-by-default.patch

debian/patches/0003-disable-APR-library-loading.patch

debian/patches/0004-split-deploy-webapps-target-from-deploy-target.patch

debian/patches/0005-change-default-DBCP-factory-class.patch

debian/patches/0006-add-JARs-below-var-to-class-loader.patch

debian/patches/0007-add-OSGi-headers-to-servlet-api.patch

debian/patches/0008-add-OSGI-headers-to-jsp-api.patch

debian/patches/0009-allow-empty-PID-file.patch

debian/patches/0010-avoid-deadlock-in-WebappClassLoader.patch

debian/patches/0011-Use-java.security.policy-file-in-catalina.sh.patch

debian/patches/0012-Prevent-disclosure-of-host-name-or-IP-address.patch

files removed:
.pc/allow-empty-pid-file.patch

.pc/allow-empty-pid-file.patch/bin

.pc/allow-empty-pid-file.patch/bin/catalina.sh

.pc/default-encoding-utf8.patch

.pc/default-encoding-utf8.patch/conf

.pc/default-encoding-utf8.patch/conf/server.xml

.pc/deploy-webapps-build-xml.patch

.pc/deploy-webapps-build-xml.patch/build.xml

.pc/disable-ajp-connector.patch

.pc/disable-ajp-connector.patch/conf

.pc/disable-ajp-connector.patch/conf/server.xml

.pc/disable-apr-loading.patch

.pc/disable-apr-loading.patch/conf

.pc/disable-apr-loading.patch/conf/server.xml

.pc/jsp-api-OSGi.patch

.pc/jsp-api-OSGi.patch/res

.pc/jsp-api-OSGi.patch/res/META-INF

.pc/jsp-api-OSGi.patch/res/META-INF/jsp-api.jar.manifest

.pc/servlet-api-OSGi.patch

.pc/servlet-api-OSGi.patch/res

.pc/servlet-api-OSGi.patch/res/META-INF

.pc/servlet-api-OSGi.patch/res/META-INF/servlet-api.jar.manifest

.pc/use-commons-dbcp.patch

.pc/use-commons-dbcp.patch/java

.pc/use-commons-dbcp.patch/java/org

.pc/use-commons-dbcp.patch/java/org/apache

.pc/use-commons-dbcp.patch/java/org/apache/naming

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory

.pc/use-commons-dbcp.patch/java/org/apache/naming/factory/Constants.java

.pc/use-commons-dbcp.patch/webapps

.pc/use-commons-dbcp.patch/webapps/docs

.pc/use-commons-dbcp.patch/webapps/docs/jndi-resources-howto.xml

.pc/var_loaders.patch

.pc/var_loaders.patch/conf

.pc/var_loaders.patch/conf/catalina.properties

.pc/webapp-classloader-deadlock-fix.patch

.pc/webapp-classloader-deadlock-fix.patch/java

.pc/webapp-classloader-deadlock-fix.patch/java/org

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/ResourceEntry.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/catalina/loader/WebappClassLoader.java

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet

.pc/webapp-classloader-deadlock-fix.patch/java/org/apache/jasper/servlet/JasperLoader.java

debian/patches/allow-empty-pid-file.patch

debian/patches/default-encoding-utf8.patch

debian/patches/deploy-webapps-build-xml.patch

debian/patches/disable-ajp-connector.patch

debian/patches/disable-apr-loading.patch

debian/patches/jsp-api-OSGi.patch

debian/patches/servlet-api-OSGi.patch

debian/patches/use-commons-dbcp.patch

debian/patches/var_loaders.patch

debian/patches/webapp-classloader-deadlock-fix.patch

files modified:
.pc/applied-patches

bin/catalina.sh

debian/changelog

debian/control

debian/patches/series

debian/tomcat6.init

debian/tomcat6.postinst

java/org/apache/catalina/authenticator/AuthenticatorBase.java

java/org/apache/catalina/authenticator/BasicAuthenticator.java

java/org/apache/catalina/authenticator/DigestAuthenticator.java

Show diffs side-by-side

added added

removed removed

debian/patches/webapp-classloader-deadlock-fix.patch

Index: trunk/java/org/apache/jasper/servlet/JasperLoader.java

===================================================================

--- trunk/java/org/apache/jasper/servlet/JasperLoader.java (revision 941867)

+++ trunk/java/org/apache/jasper/servlet/JasperLoader.java (revision 941868)

@@ -91,7 +91,7 @@

* @exception ClassNotFoundException if the class was not found

- public Class loadClass(final String name, boolean resolve)

+ public synchronized Class loadClass(final String name, boolean resolve)

throws ClassNotFoundException {

Class clazz = null;

@@ -169,4 +169,4 @@

public final PermissionCollection getPermissions(CodeSource codeSource) {

return permissionCollection;

}

\ No newline at end of file

Index: trunk/java/org/apache/catalina/loader/ResourceEntry.java

===================================================================

--- trunk/java/org/apache/catalina/loader/ResourceEntry.java (revision 941867)

+++ trunk/java/org/apache/catalina/loader/ResourceEntry.java (revision 941868)

@@ -47,7 +47,7 @@

/**

* Loaded class.

- public Class loadedClass = null;

+ public volatile Class loadedClass = null;

/**

Index: trunk/java/org/apache/catalina/loader/WebappClassLoader.java

===================================================================

--- trunk/java/org/apache/catalina/loader/WebappClassLoader.java (revision 941867)

+++ trunk/java/org/apache/catalina/loader/WebappClassLoader.java (revision 941868)

@@ -1432,102 +1432,121 @@

* @exception ClassNotFoundException if the class was not found

- public Class loadClass(String name, boolean resolve)

+ public synchronized Class loadClass(String name, boolean resolve)

throws ClassNotFoundException {

- synchronized (name.intern()) {

- if (log.isDebugEnabled())

- log.debug("loadClass(" + name + ", " + resolve + ")");

- Class clazz = null;

- // Log access to stopped classloader

- if (!started) {

- try {

- throw new IllegalStateException();

- } catch (IllegalStateException e) {

- log.info(sm.getString("webappClassLoader.stopped", name), e);

- }

+ if (log.isDebugEnabled())

+ log.debug("loadClass(" + name + ", " + resolve + ")");

+ Class clazz = null;

+ // Log access to stopped classloader

+ if (!started) {

+ try {

+ throw new IllegalStateException();

+ } catch (IllegalStateException e) {

+ log.info(sm.getString("webappClassLoader.stopped", name), e);

}

- // (0) Check our previously loaded local class cache

- clazz = findLoadedClass0(name);

+ }

+ // (0) Check our previously loaded local class cache

+ clazz = findLoadedClass0(name);

+ if (clazz != null) {

+ if (log.isDebugEnabled())

+ log.debug(" Returning class from cache");

+ if (resolve)

+ resolveClass(clazz);

+ return (clazz);

+ }

+ // (0.1) Check our previously loaded class cache

+ clazz = findLoadedClass(name);

+ if (clazz != null) {

+ if (log.isDebugEnabled())

+ log.debug(" Returning class from cache");

+ if (resolve)

+ resolveClass(clazz);

+ return (clazz);

+ }

+ // (0.2) Try loading the class with the system class loader, to prevent

+ // the webapp from overriding J2SE classes

+ try {

+ clazz = system.loadClass(name);

if (clazz != null) {

- if (log.isDebugEnabled())

100

- log.debug(" Returning class from cache");

101

if (resolve)

102

resolveClass(clazz);

103

return (clazz);

104

}

105

106

- // (0.1) Check our previously loaded class cache

107

- clazz = findLoadedClass(name);

108

- if (clazz != null) {

109

- if (log.isDebugEnabled())

110

- log.debug(" Returning class from cache");

111

- if (resolve)

112

- resolveClass(clazz);

113

- return (clazz);

114

+ } catch (ClassNotFoundException e) {

115

+ // Ignore

116

+ }

117

118

+ // (0.5) Permission to access this class when using a SecurityManager

119

+ if (securityManager != null) {

120

+ int i = name.lastIndexOf('.');

121

+ if (i >= 0) {

122

+ try {

123

+ securityManager.checkPackageAccess(name.substring(0,i));

124

+ } catch (SecurityException se) {

125

+ String error = "Security Violation, attempt to use " +

126

+ "Restricted Class: " + name;

127

+ log.info(error, se);

128

+ throw new ClassNotFoundException(error, se);

129

+ }

130

}

131

132

- // (0.2) Try loading the class with the system class loader, to prevent

133

- // the webapp from overriding J2SE classes

134

+ }

135

136

+ boolean delegateLoad = delegate || filter(name);

137

138

+ // (1) Delegate to our parent if requested

139

+ if (delegateLoad) {

140

+ if (log.isDebugEnabled())

141

+ log.debug(" Delegating to parent classloader1 " + parent);

142

+ ClassLoader loader = parent;

143

+ if (loader == null)

144

+ loader = system;

145

try {

146

- clazz = system.loadClass(name);

147

+ clazz = loader.loadClass(name);

148

if (clazz != null) {

149

+ if (log.isDebugEnabled())

150

+ log.debug(" Loading class from parent");

151

if (resolve)

152

resolveClass(clazz);

153

return (clazz);

154

}

155

} catch (ClassNotFoundException e) {

156

- // Ignore

157

+ ;

158

}

159

160

- // (0.5) Permission to access this class when using a SecurityManager

161

- if (securityManager != null) {

162

- int i = name.lastIndexOf('.');

163

- if (i >= 0) {

164

- try {

165

- securityManager.checkPackageAccess(name.substring(0,i));

166

- } catch (SecurityException se) {

167

- String error = "Security Violation, attempt to use " +

168

- "Restricted Class: " + name;

169

- log.info(error, se);

170

- throw new ClassNotFoundException(error, se);

171

- }

172

- }

173

- }

174

175

- boolean delegateLoad = delegate || filter(name);

176

177

- // (1) Delegate to our parent if requested

178

- if (delegateLoad) {

179

+ }

180

181

+ // (2) Search local repositories

182

+ if (log.isDebugEnabled())

183

+ log.debug(" Searching local repositories");

184

+ try {

185

+ clazz = findClass(name);

186

+ if (clazz != null) {

187

if (log.isDebugEnabled())

188

- log.debug(" Delegating to parent classloader1 " + parent);

189

- ClassLoader loader = parent;

190

- if (loader == null)

191

- loader = system;

192

- try {

193

- clazz = loader.loadClass(name);

194

- if (clazz != null) {

195

- if (log.isDebugEnabled())

196

- log.debug(" Loading class from parent");

197

- if (resolve)

198

- resolveClass(clazz);

199

- return (clazz);

200

- }

201

- } catch (ClassNotFoundException e) {

202

- ;

203

- }

204

+ log.debug(" Loading class from local repository");

205

+ if (resolve)

206

+ resolveClass(clazz);

207

+ return (clazz);

208

}

209

210

- // (2) Search local repositories

211

+ } catch (ClassNotFoundException e) {

212

+ ;

213

+ }

214

215

+ // (3) Delegate to parent unconditionally

216

+ if (!delegateLoad) {

217

if (log.isDebugEnabled())

218

- log.debug(" Searching local repositories");

219

+ log.debug(" Delegating to parent classloader at end: " + parent);

220

+ ClassLoader loader = parent;

221

+ if (loader == null)

222

+ loader = system;

223

try {

224

- clazz = findClass(name);

225

+ clazz = loader.loadClass(name);

226

if (clazz != null) {

227

if (log.isDebugEnabled())

228

- log.debug(" Loading class from local repository");

229

+ log.debug(" Loading class from parent");

230

if (resolve)

231

resolveClass(clazz);

232

return (clazz);

233

@@ -1535,30 +1554,10 @@

234

} catch (ClassNotFoundException e) {

235

;

236

}

237

238

- // (3) Delegate to parent unconditionally

239

- if (!delegateLoad) {

240

- if (log.isDebugEnabled())

241

- log.debug(" Delegating to parent classloader at end: " + parent);

242

- ClassLoader loader = parent;

243

- if (loader == null)

244

- loader = system;

245

- try {

246

- clazz = loader.loadClass(name);

247

- if (clazz != null) {

248

- if (log.isDebugEnabled())

249

- log.debug(" Loading class from parent");

250

- if (resolve)

251

- resolveClass(clazz);

252

- return (clazz);

253

- }

254

- } catch (ClassNotFoundException e) {

255

- ;

256

- }

257

- }

258

259

- throw new ClassNotFoundException(name);

260

}

261

262

+ throw new ClassNotFoundException(name);

263

264

}

265

266

267

@@ -2544,7 +2543,7 @@

268

if (clazz != null)

269

return clazz;

270

271

- synchronized (name.intern()) {

272

+ synchronized (this) {

273

clazz = entry.loadedClass;

274

if (clazz != null)

275

return clazz;

Older »