Search in sources :

Example 1 with PrivilegedSetTccl

use of org.apache.tomcat.util.security.PrivilegedSetTccl in project tomcat by apache.

the class TagPluginManager method init.

private void init(ErrorDispatcher err) throws JasperException {
    if (initialized)
        return;
    String blockExternalString = ctxt.getInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM);
    boolean blockExternal;
    if (blockExternalString == null) {
        blockExternal = true;
    } else {
        blockExternal = Boolean.parseBoolean(blockExternalString);
    }
    TagPluginParser parser;
    ClassLoader original;
    if (Constants.IS_SECURITY_ENABLED) {
        PrivilegedGetTccl pa = new PrivilegedGetTccl();
        original = AccessController.doPrivileged(pa);
    } else {
        original = Thread.currentThread().getContextClassLoader();
    }
    try {
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(TagPluginManager.class.getClassLoader());
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(TagPluginManager.class.getClassLoader());
        }
        parser = new TagPluginParser(ctxt, blockExternal);
        Enumeration<URL> urls = ctxt.getClassLoader().getResources(META_INF_JASPER_TAG_PLUGINS_XML);
        while (urls.hasMoreElements()) {
            URL url = urls.nextElement();
            parser.parse(url);
        }
        URL url = ctxt.getResource(TAG_PLUGINS_XML);
        if (url != null) {
            parser.parse(url);
        }
    } catch (IOException | SAXException e) {
        throw new JasperException(e);
    } finally {
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(original);
        }
    }
    Map<String, String> plugins = parser.getPlugins();
    tagPlugins = new HashMap<>(plugins.size());
    for (Map.Entry<String, String> entry : plugins.entrySet()) {
        try {
            String tagClass = entry.getKey();
            String pluginName = entry.getValue();
            Class<?> pluginClass = ctxt.getClassLoader().loadClass(pluginName);
            TagPlugin plugin = (TagPlugin) pluginClass.newInstance();
            tagPlugins.put(tagClass, plugin);
        } catch (Exception e) {
            err.jspError(e);
        }
    }
    initialized = true;
}
Also used : IOException(java.io.IOException) URL(java.net.URL) IOException(java.io.IOException) SAXException(org.xml.sax.SAXException) JasperException(org.apache.jasper.JasperException) SAXException(org.xml.sax.SAXException) JasperException(org.apache.jasper.JasperException) PrivilegedGetTccl(org.apache.tomcat.util.security.PrivilegedGetTccl) TagPlugin(org.apache.jasper.compiler.tagplugin.TagPlugin) TagPluginParser(org.apache.tomcat.util.descriptor.tagplugin.TagPluginParser) HashMap(java.util.HashMap) Map(java.util.Map) PrivilegedSetTccl(org.apache.tomcat.util.security.PrivilegedSetTccl)

Example 2 with PrivilegedSetTccl

use of org.apache.tomcat.util.security.PrivilegedSetTccl in project tomcat by apache.

the class TldParser method parse.

public TaglibXml parse(TldResourcePath path) throws IOException, SAXException {
    ClassLoader original;
    if (Constants.IS_SECURITY_ENABLED) {
        PrivilegedGetTccl pa = new PrivilegedGetTccl();
        original = AccessController.doPrivileged(pa);
    } else {
        original = Thread.currentThread().getContextClassLoader();
    }
    try (InputStream is = path.openStream()) {
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(TldParser.class.getClassLoader());
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(TldParser.class.getClassLoader());
        }
        XmlErrorHandler handler = new XmlErrorHandler();
        digester.setErrorHandler(handler);
        TaglibXml taglibXml = new TaglibXml();
        digester.push(taglibXml);
        InputSource source = new InputSource(path.toExternalForm());
        source.setByteStream(is);
        digester.parse(source);
        if (!handler.getWarnings().isEmpty() || !handler.getErrors().isEmpty()) {
            handler.logFindings(log, source.getSystemId());
            if (!handler.getErrors().isEmpty()) {
                // throw the first to indicate there was a error during processing
                throw handler.getErrors().iterator().next();
            }
        }
        return taglibXml;
    } finally {
        digester.reset();
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(original);
        }
    }
}
Also used : InputSource(org.xml.sax.InputSource) PrivilegedGetTccl(org.apache.tomcat.util.security.PrivilegedGetTccl) InputStream(java.io.InputStream) XmlErrorHandler(org.apache.tomcat.util.descriptor.XmlErrorHandler) PrivilegedSetTccl(org.apache.tomcat.util.security.PrivilegedSetTccl)

Example 3 with PrivilegedSetTccl

use of org.apache.tomcat.util.security.PrivilegedSetTccl in project tomcat by apache.

the class DefaultServlet method renderXml.

/**
     * Return an InputStream to an XML representation of the contents this
     * directory.
     *
     * @param contextPath Context path to which our internal paths are relative
     * @param resource    The associated resource
     * @param xsltSource  The XSL stylesheet
     * @param encoding    The encoding to use to process the readme (if any)
     *
     * @return the XML data
     *
     * @throws IOException an IO error occurred
     * @throws ServletException rendering error
     */
protected InputStream renderXml(String contextPath, WebResource resource, Source xsltSource, String encoding) throws IOException, ServletException {
    StringBuilder sb = new StringBuilder();
    sb.append("<?xml version=\"1.0\"?>");
    sb.append("<listing ");
    sb.append(" contextPath='");
    sb.append(contextPath);
    sb.append("'");
    sb.append(" directory='");
    sb.append(resource.getName());
    sb.append("' ");
    sb.append(" hasParent='").append(!resource.getName().equals("/"));
    sb.append("'>");
    sb.append("<entries>");
    String[] entries = resources.list(resource.getWebappPath());
    // rewriteUrl(contextPath) is expensive. cache result for later reuse
    String rewrittenContextPath = rewriteUrl(contextPath);
    String directoryWebappPath = resource.getWebappPath();
    for (String entry : entries) {
        if (entry.equalsIgnoreCase("WEB-INF") || entry.equalsIgnoreCase("META-INF") || entry.equalsIgnoreCase(localXsltFile))
            continue;
        if ((directoryWebappPath + entry).equals(contextXsltFile))
            continue;
        WebResource childResource = resources.getResource(directoryWebappPath + entry);
        if (!childResource.exists()) {
            continue;
        }
        sb.append("<entry");
        sb.append(" type='").append(childResource.isDirectory() ? "dir" : "file").append("'");
        sb.append(" urlPath='").append(rewrittenContextPath).append(rewriteUrl(directoryWebappPath + entry)).append(childResource.isDirectory() ? "/" : "").append("'");
        if (childResource.isFile()) {
            sb.append(" size='").append(renderSize(childResource.getContentLength())).append("'");
        }
        sb.append(" date='").append(childResource.getLastModifiedHttp()).append("'");
        sb.append(">");
        sb.append(RequestUtil.filter(entry));
        if (childResource.isDirectory())
            sb.append("/");
        sb.append("</entry>");
    }
    sb.append("</entries>");
    String readme = getReadme(resource, encoding);
    if (readme != null) {
        sb.append("<readme><![CDATA[");
        sb.append(readme);
        sb.append("]]></readme>");
    }
    sb.append("</listing>");
    // Prevent possible memory leak. Ensure Transformer and
    // TransformerFactory are not loaded from the web application.
    ClassLoader original;
    if (Globals.IS_SECURITY_ENABLED) {
        PrivilegedGetTccl pa = new PrivilegedGetTccl();
        original = AccessController.doPrivileged(pa);
    } else {
        original = Thread.currentThread().getContextClassLoader();
    }
    try {
        if (Globals.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(DefaultServlet.class.getClassLoader());
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(DefaultServlet.class.getClassLoader());
        }
        TransformerFactory tFactory = TransformerFactory.newInstance();
        Source xmlSource = new StreamSource(new StringReader(sb.toString()));
        Transformer transformer = tFactory.newTransformer(xsltSource);
        ByteArrayOutputStream stream = new ByteArrayOutputStream();
        OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8");
        StreamResult out = new StreamResult(osWriter);
        transformer.transform(xmlSource, out);
        osWriter.flush();
        return (new ByteArrayInputStream(stream.toByteArray()));
    } catch (TransformerException e) {
        throw new ServletException("XSL transformer error", e);
    } finally {
        if (Globals.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(original);
        }
    }
}
Also used : TransformerFactory(javax.xml.transform.TransformerFactory) Transformer(javax.xml.transform.Transformer) StreamResult(javax.xml.transform.stream.StreamResult) StreamSource(javax.xml.transform.stream.StreamSource) WebResource(org.apache.catalina.WebResource) ByteArrayOutputStream(java.io.ByteArrayOutputStream) DOMSource(javax.xml.transform.dom.DOMSource) StreamSource(javax.xml.transform.stream.StreamSource) Source(javax.xml.transform.Source) InputSource(org.xml.sax.InputSource) ServletException(javax.servlet.ServletException) ByteArrayInputStream(java.io.ByteArrayInputStream) PrivilegedGetTccl(org.apache.tomcat.util.security.PrivilegedGetTccl) StringReader(java.io.StringReader) OutputStreamWriter(java.io.OutputStreamWriter) TransformerException(javax.xml.transform.TransformerException) PrivilegedSetTccl(org.apache.tomcat.util.security.PrivilegedSetTccl)

Example 4 with PrivilegedSetTccl

use of org.apache.tomcat.util.security.PrivilegedSetTccl in project tomcat by apache.

the class StandardContext method bind.

@Override
public ClassLoader bind(boolean usePrivilegedAction, ClassLoader originalClassLoader) {
    Loader loader = getLoader();
    ClassLoader webApplicationClassLoader = null;
    if (loader != null) {
        webApplicationClassLoader = loader.getClassLoader();
    }
    if (originalClassLoader == null) {
        if (usePrivilegedAction) {
            PrivilegedAction<ClassLoader> pa = new PrivilegedGetTccl();
            originalClassLoader = AccessController.doPrivileged(pa);
        } else {
            originalClassLoader = Thread.currentThread().getContextClassLoader();
        }
    }
    if (webApplicationClassLoader == null || webApplicationClassLoader == originalClassLoader) {
        // null to indicate this.
        return null;
    }
    ThreadBindingListener threadBindingListener = getThreadBindingListener();
    if (usePrivilegedAction) {
        PrivilegedAction<Void> pa = new PrivilegedSetTccl(webApplicationClassLoader);
        AccessController.doPrivileged(pa);
    } else {
        Thread.currentThread().setContextClassLoader(webApplicationClassLoader);
    }
    if (threadBindingListener != null) {
        try {
            threadBindingListener.bind();
        } catch (Throwable t) {
            ExceptionUtils.handleThrowable(t);
            log.error(sm.getString("standardContext.threadBindingListenerError", getName()), t);
        }
    }
    return originalClassLoader;
}
Also used : ThreadBindingListener(org.apache.catalina.ThreadBindingListener) PrivilegedGetTccl(org.apache.tomcat.util.security.PrivilegedGetTccl) WebappLoader(org.apache.catalina.loader.WebappLoader) Loader(org.apache.catalina.Loader) PrivilegedSetTccl(org.apache.tomcat.util.security.PrivilegedSetTccl)

Example 5 with PrivilegedSetTccl

use of org.apache.tomcat.util.security.PrivilegedSetTccl in project tomcat by apache.

the class JspDocumentParser method getSAXParser.

/*
     * Gets SAXParser.
     *
     * @param validating Indicates whether the requested SAXParser should
     * be validating
     * @param jspDocParser The JSP document parser
     *
     * @return The SAXParser
     */
private static SAXParser getSAXParser(boolean validating, JspDocumentParser jspDocParser) throws Exception {
    ClassLoader original;
    if (Constants.IS_SECURITY_ENABLED) {
        PrivilegedGetTccl pa = new PrivilegedGetTccl();
        original = AccessController.doPrivileged(pa);
    } else {
        original = Thread.currentThread().getContextClassLoader();
    }
    try {
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(JspDocumentParser.class.getClassLoader());
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(JspDocumentParser.class.getClassLoader());
        }
        SAXParserFactory factory = SAXParserFactory.newInstance();
        factory.setNamespaceAware(true);
        // Preserve xmlns attributes
        factory.setFeature("http://xml.org/sax/features/namespace-prefixes", true);
        factory.setValidating(validating);
        if (validating) {
            // Enable DTD validation
            factory.setFeature("http://xml.org/sax/features/validation", true);
            // Enable schema validation
            factory.setFeature("http://apache.org/xml/features/validation/schema", true);
        }
        // Configure the parser
        SAXParser saxParser = factory.newSAXParser();
        XMLReader xmlReader = saxParser.getXMLReader();
        xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
        xmlReader.setErrorHandler(jspDocParser);
        return saxParser;
    } finally {
        if (Constants.IS_SECURITY_ENABLED) {
            PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
            AccessController.doPrivileged(pa);
        } else {
            Thread.currentThread().setContextClassLoader(original);
        }
    }
}
Also used : PrivilegedGetTccl(org.apache.tomcat.util.security.PrivilegedGetTccl) SAXParser(javax.xml.parsers.SAXParser) XMLReader(org.xml.sax.XMLReader) PrivilegedSetTccl(org.apache.tomcat.util.security.PrivilegedSetTccl) SAXParserFactory(javax.xml.parsers.SAXParserFactory)

Aggregations

PrivilegedGetTccl (org.apache.tomcat.util.security.PrivilegedGetTccl)5 PrivilegedSetTccl (org.apache.tomcat.util.security.PrivilegedSetTccl)5 InputSource (org.xml.sax.InputSource)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 IOException (java.io.IOException)1 InputStream (java.io.InputStream)1 OutputStreamWriter (java.io.OutputStreamWriter)1 StringReader (java.io.StringReader)1 URL (java.net.URL)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 ServletException (javax.servlet.ServletException)1 SAXParser (javax.xml.parsers.SAXParser)1 SAXParserFactory (javax.xml.parsers.SAXParserFactory)1 Source (javax.xml.transform.Source)1 Transformer (javax.xml.transform.Transformer)1 TransformerException (javax.xml.transform.TransformerException)1 TransformerFactory (javax.xml.transform.TransformerFactory)1 DOMSource (javax.xml.transform.dom.DOMSource)1