[tomcat] branch 10.1.x updated: Fix for Lambda coercion security manager missing privileges.

Thu, 20 Oct 2022 06:49:20 -0700 

This is an automated email from the ASF dual-hosted git repository.

lihan pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 220c2af01e Fix for Lambda coercion security manager missing privileges.
220c2af01e is described below

commit 220c2af01e2b05964750e5024a7b61d5c74b5e54
Author: lihan <li...@apache.org>
AuthorDate: Thu Oct 20 21:48:23 2022 +0800

    Fix for Lambda coercion security manager missing privileges.
    
    Based on pull request #557 by Isaac Rivera Rivas
---
 java/org/apache/el/lang/ELSupport.java | 28 ++++++++++++++++++----------
 webapps/docs/changelog.xml             |  8 ++++++++
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/java/org/apache/el/lang/ELSupport.java 
b/java/org/apache/el/lang/ELSupport.java
index bc1b67a648..d07c9d6959 100644
--- a/java/org/apache/el/lang/ELSupport.java
+++ b/java/org/apache/el/lang/ELSupport.java
@@ -29,6 +29,7 @@ import java.security.PrivilegedAction;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Supplier;
 
 import jakarta.el.ELContext;
 import jakarta.el.ELException;
@@ -625,17 +626,24 @@ public class ELSupport {
 
     private static <T> T coerceToFunctionalInterface(final ELContext ctx, 
final LambdaExpression lambdaExpression,
             final Class<T> type) {
-        // Create a dynamic proxy for the functional interface
-        @SuppressWarnings("unchecked")
-        T result = (T) Proxy.newProxyInstance(type.getClassLoader(), new 
Class[] { type },
+        Supplier<T> proxy = () -> {
+            // Create a dynamic proxy for the functional interface
+            @SuppressWarnings("unchecked")
+            T result = (T) Proxy.newProxyInstance(type.getClassLoader(), new 
Class[]{type},
                 (Object obj, Method method, Object[] args) -> {
-            // Functional interfaces have a single, abstract method
-            if (!Modifier.isAbstract(method.getModifiers())) {
-                throw new 
ELException(MessageFactory.get("elSupport.coerce.nonAbstract", type, method));
-            }
-            return lambdaExpression.invoke(ctx, args);
-        });
-        return result;
+                    // Functional interfaces have a single, abstract method
+                    if (!Modifier.isAbstract(method.getModifiers())) {
+                        throw new 
ELException(MessageFactory.get("elSupport.coerce.nonAbstract", type, method));
+                    }
+                    return lambdaExpression.invoke(ctx, args);
+                });
+            return result;
+        };
+        if (System.getSecurityManager() !=  null) {
+            return AccessController.doPrivileged((PrivilegedAction<T>) 
proxy::get);
+        } else {
+            return proxy.get();
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c42a13b3f7..7ab72a5200 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -114,6 +114,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Jasper">
+    <changelog>
+      <fix>
+        <bug>66317</bug>: Fix for Lambda coercion security manager missing
+        privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <update>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to