Attachment #33549 for bug #58999

View | Details | Raw Unified | Return to bug 58999
Collapse All | Expand All




            return false;

        char ch;
        if (name.startsWith("javax") && name.length() > 5) {
            /* 5 == length("javax") */
            ch = name.charAt(5);
            if (isClassName && ch == '.') {
                /* 6 == length("javax.") */
                if (name.startsWith("servlet.jsp.jstl", 6)) {
                    return false;
                }
                if (name.startsWith("el.", 6) ||

                }
            } else if (!isClassName && ch == '/') {
                /* 6 == length("javax/") */
                if (name.startsWith("servlet/jsp/jstl", 6)) {
                    return false;
                }
                if (name.startsWith("el/", 6) ||

                    return true;
                }
            }
        } else if (name.startsWith("org") && name.length() > 3) {
            /* 3 == length("org") */
            ch = name.charAt(3);
            if (isClassName && ch == '.') {

                /* 4 == length("org.") */
                if (name.startsWith("apache.", 4)) {
                    /* 11 == length("org.apache.") */
                    if (name.startsWith("tomcat.jdbc", 11)) {
                        return false;
                    }
                    if (name.startsWith("el.", 11) ||

                /* 4 == length("org/") */
                if (name.startsWith("apache/", 4)) {
                    /* 11 == length("org/apache/") */
                    if (name.startsWith("tomcat/jdbc", 11)) {
                        return false;
                    }
                    if (name.startsWith("el/", 11) ||




    public void testFilter() throws IOException {

        String[] classSuffixes = new String[]{
            "","some.package.Example"
        };

        String[] resourceSuffixes = new String[]{
            "",
            "some/path/test.properties",
            "some/path/test"
        };

            "org.apache",
            "org.apache.tomcat.jdbc",
            "javax",
            "javax.servlet.jsp.jstl",
            "com.mycorp"
        };



            for (String prefix : prefixesPermit) {
                for (String suffix : classSuffixes) {
                    name = prefix + "." + suffix;
                    Assert.assertTrue("Class '" + name + "' failed permit filter",
                               !loader.filter(name, true));
                    if (prefix.equals("")) {
                        name = suffix;
                    } else if (suffix.equals("")) {
                        name = prefix;
                    } else {
                        name = prefix + "." + suffix;
                    }
                    Assert.assertTrue("Class '" + name + "' failed permit filter",
                               !loader.filter(name, true));
                }
                prefix = prefix.replace('.', '/');
                for (String suffix : resourceSuffixes) {
                    name = prefix + "/" + suffix;
                    Assert.assertTrue("Resource '" + name + "' failed permit filter",
                               !loader.filter(name, false));
                    if (prefix.equals("")) {
                        name = suffix;
                    } else if (suffix.equals("")) {
                        name = prefix;
                    } else {
                        name = prefix + "/" + suffix;
                    }
                    Assert.assertTrue("Resource '" + name + "' failed permit filter",
                               !loader.filter(name, false));
                }
            }

            for (String prefix : prefixesDeny) {
                for (String suffix : classSuffixes) {
                    if (suffix.equals("")) {
                        name = prefix;
                        Assert.assertTrue("Class '" + name + "' failed permit filter",
                                !loader.filter(name, true));
                        continue;
                    }
                    if (prefix.equals("")) {
                        name = suffix;
                    } else {

                }
                prefix = prefix.replace('.', '/');
                for (String suffix : resourceSuffixes) {
                    if (suffix.equals("")) {
                        name = prefix;
                        Assert.assertTrue("Resource '" + name + "' failed permit filter",
                                !loader.filter(name, false));
                        continue;
                    }
                    if (prefix.equals("")) {
                        name = suffix;
                    } else {

Return to bug 58999

Lines 2763-2774 Link Here

(-)java/org/apache/catalina/loader/WebappClassLoaderBase.java (-6 / +6 lines)
2763	return false;	2763	return false;
2764		2764
2765	char ch;	2765	char ch;
2766	if (name.startsWith("javax")) {	2766	if (name.startsWith("javax") && name.length() > 5) {
2767	/* 5 == length("javax") */	2767	/* 5 == length("javax") */
2768	ch = name.charAt(5);	2768	ch = name.charAt(5);
2769	if (isClassName && ch == '.') {	2769	if (isClassName && ch == '.') {
2770	/* 6 == length("javax.") */	2770	/* 6 == length("javax.") */
2771	if (name.startsWith("servlet.jsp.jstl.", 6)) {	2771	if (name.startsWith("servlet.jsp.jstl", 6)) {
2772	return false;	2772	return false;
2773	}	2773	}
2774	if (name.startsWith("el.", 6) \|\|	2774	if (name.startsWith("el.", 6) \|\|
Lines 2779-2785 Link Here
2779	}	2779	}
2780	} else if (!isClassName && ch == '/') {	2780	} else if (!isClassName && ch == '/') {
2781	/* 6 == length("javax/") */	2781	/* 6 == length("javax/") */
2782	if (name.startsWith("servlet/jsp/jstl/", 6)) {	2782	if (name.startsWith("servlet/jsp/jstl", 6)) {
2783	return false;	2783	return false;
2784	}	2784	}
2785	if (name.startsWith("el/", 6) \|\|	2785	if (name.startsWith("el/", 6) \|\|
Lines 2789-2795 Link Here
2789	return true;	2789	return true;
2790	}	2790	}
2791	}	2791	}
2792	} else if (name.startsWith("org")) {	2792	} else if (name.startsWith("org") && name.length() > 3) {
2793	/* 3 == length("org") */	2793	/* 3 == length("org") */
2794	ch = name.charAt(3);	2794	ch = name.charAt(3);
2795	if (isClassName && ch == '.') {	2795	if (isClassName && ch == '.') {
Lines 2796-2802 Link Here
2796	/* 4 == length("org.") */	2796	/* 4 == length("org.") */
2797	if (name.startsWith("apache.", 4)) {	2797	if (name.startsWith("apache.", 4)) {
2798	/* 11 == length("org.apache.") */	2798	/* 11 == length("org.apache.") */
2799	if (name.startsWith("tomcat.jdbc.", 11)) {	2799	if (name.startsWith("tomcat.jdbc", 11)) {
2800	return false;	2800	return false;
2801	}	2801	}
2802	if (name.startsWith("el.", 11) \|\|	2802	if (name.startsWith("el.", 11) \|\|
Lines 2813-2819 Link Here
2813	/* 4 == length("org/") */	2813	/* 4 == length("org/") */
2814	if (name.startsWith("apache/", 4)) {	2814	if (name.startsWith("apache/", 4)) {
2815	/* 11 == length("org/apache/") */	2815	/* 11 == length("org/apache/") */
2816	if (name.startsWith("tomcat/jdbc/", 11)) {	2816	if (name.startsWith("tomcat/jdbc", 11)) {
2817	return false;	2817	return false;
2818	}	2818	}
2819	if (name.startsWith("el/", 11) \|\|	2819	if (name.startsWith("el/", 11) \|\|

Lines 65-74 Link Here

(-)test/org/apache/catalina/loader/TestWebappClassLoader.java (-12 / +27 lines)
65	public void testFilter() throws IOException {	65	public void testFilter() throws IOException {
66		66
67	String[] classSuffixes = new String[]{	67	String[] classSuffixes = new String[]{
68	"some.package.Example"	68	"","some.package.Example"
69	};	69	};
70		70
71	String[] resourceSuffixes = new String[]{	71	String[] resourceSuffixes = new String[]{
		72	"",
72	"some/path/test.properties",	73	"some/path/test.properties",
73	"some/path/test"	74	"some/path/test"
74	};	75	};
Lines 83-89 Link Here
83	"org.apache",	84	"org.apache",
84	"org.apache.tomcat.jdbc",	85	"org.apache.tomcat.jdbc",
85	"javax",	86	"javax",
86	"javax.jsp.jstl",	87	"javax.servlet.jsp.jstl",
87	"com.mycorp"	88	"com.mycorp"
88	};	89	};
89		90
Lines 106-135 Link Here
106		107
107	for (String prefix : prefixesPermit) {	108	for (String prefix : prefixesPermit) {
108	for (String suffix : classSuffixes) {	109	for (String suffix : classSuffixes) {
109	name = prefix + "." + suffix;
110	Assert.assertTrue("Class '" + name + "' failed permit filter",
111	!loader.filter(name, true));
112	if (prefix.equals("")) {	110	if (prefix.equals("")) {
113	name = suffix;	111	name = suffix;
114	Assert.assertTrue("Class '" + name + "' failed permit filter",	112	} else if (suffix.equals("")) {
115	!loader.filter(name, true));	113	name = prefix;
		114	} else {
		115	name = prefix + "." + suffix;
116	}	116	}
		117	Assert.assertTrue("Class '" + name + "' failed permit filter",
		118	!loader.filter(name, true));
117	}	119	}
118	prefix = prefix.replace('.', '/');	120	prefix = prefix.replace('.', '/');
119	for (String suffix : resourceSuffixes) {	121	for (String suffix : resourceSuffixes) {
120	name = prefix + "/" + suffix;
121	Assert.assertTrue("Resource '" + name + "' failed permit filter",
122	!loader.filter(name, false));
123	if (prefix.equals("")) {	122	if (prefix.equals("")) {
124	name = suffix;	123	name = suffix;
125	Assert.assertTrue("Resource '" + name + "' failed permit filter",	124	} else if (suffix.equals("")) {
126	!loader.filter(name, false));	125	name = prefix;
		126	} else {
		127	name = prefix + "/" + suffix;
127	}	128	}
		129	Assert.assertTrue("Resource '" + name + "' failed permit filter",
		130	!loader.filter(name, false));
128	}	131	}
129	}	132	}
130		133
131	for (String prefix : prefixesDeny) {	134	for (String prefix : prefixesDeny) {
132	for (String suffix : classSuffixes) {	135	for (String suffix : classSuffixes) {
		136	if (suffix.equals("")) {
		137	name = prefix;
		138	Assert.assertTrue("Class '" + name + "' failed permit filter",
		139	!loader.filter(name, true));
		140	continue;
		141	}
133	if (prefix.equals("")) {	142	if (prefix.equals("")) {
134	name = suffix;	143	name = suffix;
135	} else {	144	} else {
Lines 140-145 Link Here
140	}	149	}
141	prefix = prefix.replace('.', '/');	150	prefix = prefix.replace('.', '/');
142	for (String suffix : resourceSuffixes) {	151	for (String suffix : resourceSuffixes) {
		152	if (suffix.equals("")) {
		153	name = prefix;
		154	Assert.assertTrue("Resource '" + name + "' failed permit filter",
		155	!loader.filter(name, false));
		156	continue;
		157	}
143	if (prefix.equals("")) {	158	if (prefix.equals("")) {
144	name = suffix;	159	name = suffix;
145	} else {	160	} else {