open-source/apache-tomcat-8.5.51
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
xieyinlu
2024-11-30 19:03:49 +08:00
commit 1e6763c160
3806 changed files with 737676 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
java/org/apache/jasper/security/SecurityClassLoad.java Normal file
View File

@@ -0,0 +1,79 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jasper.security;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
/**
* Static class used to preload java classes when using the Java SecurityManager
* so that the defineClassInPackage RuntimePermission does not trigger an
* AccessControlException.
*/
public final class SecurityClassLoad {
public static void securityClassLoad(ClassLoader loader) {
if (System.getSecurityManager() == null) {
return;
}
final String basePackage = "org.apache.jasper.";
try {
// Ensure XMLInputFactory is loaded with Tomcat's class loader
loader.loadClass(basePackage + "compiler.EncodingDetector");
loader.loadClass(basePackage + "runtime.JspFactoryImpl$PrivilegedGetPageContext");
loader.loadClass(basePackage + "runtime.JspFactoryImpl$PrivilegedReleasePageContext");
loader.loadClass(basePackage + "runtime.JspRuntimeLibrary");
loader.loadClass(basePackage + "runtime.ServletResponseWrapperInclude");
loader.loadClass(basePackage + "runtime.TagHandlerPool");
loader.loadClass(basePackage + "runtime.JspFragmentHelper");
loader.loadClass(basePackage + "runtime.ProtectedFunctionMapper");
loader.loadClass(basePackage + "runtime.PageContextImpl");
loadAnonymousInnerClasses(loader, basePackage + "runtime.PageContextImpl");
loader.loadClass(basePackage + "runtime.JspContextWrapper");
// Trigger loading of class and reading of property
SecurityUtil.isPackageProtectionEnabled();
loader.loadClass(basePackage + "servlet.JspServletWrapper");
loadAnonymousInnerClasses(loader, "runtime.JspWriterImpl");
} catch (ClassNotFoundException ex) {
Log log = LogFactory.getLog(SecurityClassLoad.class);
log.error("SecurityClassLoad", ex);
}
}
private static final void loadAnonymousInnerClasses(ClassLoader loader, String enclosingClass) {
try {
for (int i = 1;; i++) {
loader.loadClass(enclosingClass + '$' + i);
}
} catch (ClassNotFoundException ignored) {
//
}
}
}

83
java/org/apache/jasper/security/SecurityUtil.java Normal file
View File

@@ -0,0 +1,83 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.jasper.security;
import org.apache.jasper.Constants;
/**
* Util class for Security related operations.
*/
public final class SecurityUtil{
private static final boolean packageDefinitionEnabled =
System.getProperty("package.definition") == null ? false : true;
/**
* Return the <code>SecurityManager</code> only if Security is enabled AND
* package protection mechanism is enabled.
* @return <code>true</code> if package protection is enabled
*/
public static boolean isPackageProtectionEnabled(){
if (packageDefinitionEnabled && Constants.IS_SECURITY_ENABLED){
return true;
}
return false;
}
/**
* Filter the specified message string for characters that are sensitive
* in HTML. This avoids potential attacks caused by including JavaScript
* codes in the request URL that is often reported in error messages.
*
* @param message The message string to be filtered
* @return the HTML filtered message
*
* @deprecated This method will be removed in Tomcat 9
*/
@Deprecated
public static String filter(String message) {
if (message == null)
return null;
char content[] = new char[message.length()];
message.getChars(0, message.length(), content, 0);
StringBuilder result = new StringBuilder(content.length + 50);
for (int i = 0; i < content.length; i++) {
switch (content[i]) {
case '<':
result.append("&lt;");
break;
case '>':
result.append("&gt;");
break;
case '&':
result.append("&amp;");
break;
case '"':
result.append("&quot;");
break;
default:
result.append(content[i]);
}
}
return result.toString();
}
}