This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a7b91e1a0f4fa57f50d8103417a6a3f6d5f50ea8 Author: Mark Thomas <ma...@apache.org> AuthorDate: Sat May 5 20:21:21 2018 +0000 Refactor to remove the need for explicit property permissions for Cookie code git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1831003 13f79535-47bb-0310-9956-ffa450edef68 --- conf/catalina.policy | 8 --- java/javax/servlet/http/Cookie.java | 72 +++++++++++++++++----- .../servlet/http/TestCookieRFC2109Validator.java | 5 +- 3 files changed, 58 insertions(+), 27 deletions(-) diff --git a/conf/catalina.policy b/conf/catalina.policy index ffa348d..0567324 100644 --- a/conf/catalina.policy +++ b/conf/catalina.policy @@ -172,14 +172,6 @@ grant { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; - // The cookie code needs these. - permission java.util.PropertyPermission - "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; - // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; diff --git a/java/javax/servlet/http/Cookie.java b/java/javax/servlet/http/Cookie.java index fc2cb89..1ee31d4 100644 --- a/java/javax/servlet/http/Cookie.java +++ b/java/javax/servlet/http/Cookie.java @@ -17,6 +17,8 @@ package javax.servlet.http; import java.io.Serializable; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.text.MessageFormat; import java.util.BitSet; import java.util.Locale; @@ -54,19 +56,66 @@ import java.util.ResourceBundle; public class Cookie implements Cloneable, Serializable { private static final CookieNameValidator validation; + static { + boolean strictServletCompliance; boolean strictNaming; - String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); - if (prop != null) { - strictNaming = Boolean.parseBoolean(prop); + boolean allowSlash; + String propStrictNaming; + String propFwdSlashIsSeparator; + + if (System.getSecurityManager() == null) { + strictServletCompliance = Boolean.getBoolean( + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); + propStrictNaming = System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); + propFwdSlashIsSeparator = System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); } else { - strictNaming = Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); + strictServletCompliance = AccessController.doPrivileged( + new PrivilegedAction<Boolean>() { + @Override + public Boolean run() { + return Boolean.valueOf(System.getProperty( + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE")); + } + } + ).booleanValue(); + propStrictNaming = AccessController.doPrivileged( + new PrivilegedAction<String>() { + @Override + public String run() { + return System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING"); + } + } + ); + propFwdSlashIsSeparator = AccessController.doPrivileged( + new PrivilegedAction<String>() { + @Override + public String run() { + return System.getProperty( + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); + } + } + ); } - if (strictNaming) { - validation = new RFC2109Validator(); + if (propStrictNaming == null) { + strictNaming = strictServletCompliance; + } else { + strictNaming = Boolean.parseBoolean(propStrictNaming); + } + + if (propFwdSlashIsSeparator == null) { + allowSlash = !strictServletCompliance; + } else { + allowSlash = !Boolean.parseBoolean(propFwdSlashIsSeparator); } - else { + + if (strictNaming) { + validation = new RFC2109Validator(allowSlash); + } else { validation = new RFC6265Validator(); } } @@ -428,15 +477,8 @@ class RFC6265Validator extends CookieNameValidator { } class RFC2109Validator extends RFC6265Validator { - RFC2109Validator() { + RFC2109Validator(boolean allowSlash) { // special treatment to allow for FWD_SLASH_IS_SEPARATOR property - boolean allowSlash; - String prop = System.getProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR"); - if (prop != null) { - allowSlash = !Boolean.parseBoolean(prop); - } else { - allowSlash = !Boolean.getBoolean("org.apache.catalina.STRICT_SERVLET_COMPLIANCE"); - } if (allowSlash) { allowed.set('/'); } diff --git a/test/javax/servlet/http/TestCookieRFC2109Validator.java b/test/javax/servlet/http/TestCookieRFC2109Validator.java index 18bc062..1a2b136 100644 --- a/test/javax/servlet/http/TestCookieRFC2109Validator.java +++ b/test/javax/servlet/http/TestCookieRFC2109Validator.java @@ -22,11 +22,8 @@ import org.junit.Test; * Basic tests for Cookie in default configuration. */ public class TestCookieRFC2109Validator { - static { - System.setProperty("org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "true"); - } - private RFC2109Validator validator = new RFC2109Validator(); + private RFC2109Validator validator = new RFC2109Validator(false); @Test public void actualCharactersAllowedInName() { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org