From 5a468055ead9b9ca1659df341aef89141999ed13 Mon Sep 17 00:00:00 2001 From: remm Date: Mon, 16 Oct 2006 13:06:09 +0000 Subject: [PATCH] - Add a privileged filter list (I had forgotten about the SSI filter ...). git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk@464474 13f79535-47bb-0310-9956-ffa450edef68 --- .../catalina/core/ApplicationFilterConfig.java | 58 ++++++++++++++++++++++ .../apache/catalina/core/LocalStrings.properties | 4 ++ .../catalina/core/RestrictedFilters.properties | 1 + java/org/apache/catalina/core/StandardWrapper.java | 4 +- 4 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 java/org/apache/catalina/core/RestrictedFilters.properties diff --git a/java/org/apache/catalina/core/ApplicationFilterConfig.java b/java/org/apache/catalina/core/ApplicationFilterConfig.java index c0da41ec3..631190b4c 100644 --- a/java/org/apache/catalina/core/ApplicationFilterConfig.java +++ b/java/org/apache/catalina/core/ApplicationFilterConfig.java @@ -18,11 +18,14 @@ package org.apache.catalina.core; +import java.io.IOException; +import java.io.InputStream; import java.io.Serializable; import java.lang.reflect.InvocationTargetException; import java.util.ArrayList; import java.util.Enumeration; import java.util.Map; +import java.util.Properties; import javax.naming.NamingException; import javax.servlet.Filter; @@ -35,6 +38,7 @@ import org.apache.catalina.Context; import org.apache.catalina.deploy.FilterDef; import org.apache.catalina.security.SecurityUtil; import org.apache.catalina.util.Enumerator; +import org.apache.catalina.util.StringManager; import org.apache.tomcat.util.log.SystemLogHandler; @@ -50,6 +54,9 @@ import org.apache.tomcat.util.log.SystemLogHandler; final class ApplicationFilterConfig implements FilterConfig, Serializable { + protected static StringManager sm = + StringManager.getManager(Constants.Package); + // ----------------------------------------------------------- Constructors @@ -78,6 +85,23 @@ final class ApplicationFilterConfig implements FilterConfig, Serializable { ServletException, InvocationTargetException, NamingException { super(); + + if (restrictedFilters == null) { + restrictedFilters = new Properties(); + try { + InputStream is = + this.getClass().getClassLoader().getResourceAsStream + ("org/apache/catalina/core/RestrictedFilters.properties"); + if (is != null) { + restrictedFilters.load(is); + } else { + context.getLogger().error(sm.getString("applicationFilterConfig.restrictedFiltersResources")); + } + } catch (IOException e) { + context.getLogger().error(sm.getString("applicationFilterConfig.restrictedServletsResources"), e); + } + } + this.context = context; setFilterDef(filterDef); @@ -105,6 +129,12 @@ final class ApplicationFilterConfig implements FilterConfig, Serializable { private FilterDef filterDef = null; + /** + * Restricted filters (which can only be loaded by a privileged webapp). + */ + protected static Properties restrictedFilters = null; + + // --------------------------------------------------- FilterConfig Methods @@ -215,6 +245,11 @@ final class ApplicationFilterConfig implements FilterConfig, Serializable { // Instantiate a new instance of this filter and return it Class clazz = classLoader.loadClass(filterClass); + if (!isFilterAllowed(clazz)) { + throw new SecurityException + (sm.getString("applicationFilterConfig.privilegedFilter", + filterClass)); + } this.filter = (Filter) clazz.newInstance(); if (!context.getIgnoreAnnotations()) { if (context instanceof StandardContext) { @@ -254,6 +289,29 @@ final class ApplicationFilterConfig implements FilterConfig, Serializable { /** + * Return true if loading this filter is allowed. + */ + protected boolean isFilterAllowed(Class filterClass) { + + // Privileged webapps may load all servlets without restriction + if (context.getPrivileged()) { + return true; + } + + Class clazz = filterClass; + while (clazz != null && !clazz.getName().equals("javax.servlet.Filter")) { + if ("restricted".equals(restrictedFilters.getProperty(clazz.getName()))) { + return (false); + } + clazz = clazz.getSuperclass(); + } + + return (true); + + } + + + /** * Release the Filter instance associated with this FilterConfig, * if there is one. */ diff --git a/java/org/apache/catalina/core/LocalStrings.properties b/java/org/apache/catalina/core/LocalStrings.properties index 74e62dbc0..d57878e6d 100644 --- a/java/org/apache/catalina/core/LocalStrings.properties +++ b/java/org/apache/catalina/core/LocalStrings.properties @@ -188,3 +188,7 @@ standardWrapper.unavailable=Marking servlet {0} as unavailable standardWrapper.unloadException=Servlet {0} threw unload() exception standardWrapper.unloading=Cannot allocate servlet {0} because it is being unloaded standardWrapper.waiting=Waiting for {0} instance(s) to be deallocated +standardWrapper.restrictedServletsResource=Restricted servlets property file not found + +applicationFilterConfig.restrictedFiltersResource=Restricted filters property file not found +applicationFilterConfig.privilegedFilter=Filter of class {0} is privileged and cannot be loaded by this web application diff --git a/java/org/apache/catalina/core/RestrictedFilters.properties b/java/org/apache/catalina/core/RestrictedFilters.properties new file mode 100644 index 000000000..ff0f28f81 --- /dev/null +++ b/java/org/apache/catalina/core/RestrictedFilters.properties @@ -0,0 +1 @@ +org.apache.catalina.ssi.SSIFilter=restricted diff --git a/java/org/apache/catalina/core/StandardWrapper.java b/java/org/apache/catalina/core/StandardWrapper.java index ad68a131a..12c0c258e 100644 --- a/java/org/apache/catalina/core/StandardWrapper.java +++ b/java/org/apache/catalina/core/StandardWrapper.java @@ -104,10 +104,10 @@ public class StandardWrapper if (is != null) { restrictedServlets.load(is); } else { - log.error(sm.getString("standardWrapper.restrictedServletsResources")); + log.error(sm.getString("standardWrapper.restrictedServletsResource")); } } catch (IOException e) { - log.error(sm.getString("standardWrapper.restrictedServletsResources"), e); + log.error(sm.getString("standardWrapper.restrictedServletsResource"), e); } } -- 2.11.0