remm 01/01/25 10:36:46
Modified: catalina/src/share/org/apache/catalina/core
StandardContext.java StandardContextValve.java
Log:
- Security fix : A webapp could access the naming environment of another webapp by
using
the ContextBindings.getContext(String name) call. Since the resources are
bound in the naming environment, that would have allowed it to access any
static resource or class repository inside another webapp, just by knowing
its name. This function is now package private.
- The implementation wasn't virtual hosting ready. Fixed.
- Class loader binding was broken. Fixed.
- Catalina will now use class loader binding instead of thread binding, which
saves a few calls during each request.
Revision Changes Path
1.37 +14 -11
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContext.java
Index: StandardContext.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContext.java,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- StandardContext.java 2001/01/24 02:33:01 1.36
+++ StandardContext.java 2001/01/25 18:36:22 1.37
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContext.java,v
1.36 2001/01/24 02:33:01 remm Exp $
- * $Revision: 1.36 $
- * $Date: 2001/01/24 02:33:01 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContext.java,v
1.37 2001/01/25 18:36:22 remm Exp $
+ * $Revision: 1.37 $
+ * $Date: 2001/01/25 18:36:22 $
*
* ====================================================================
*
@@ -138,7 +138,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.36 $ $Date: 2001/01/24 02:33:01 $
+ * @version $Revision: 1.37 $ $Date: 2001/01/25 18:36:22 $
*/
public class StandardContext
@@ -3190,12 +3190,12 @@
Hashtable contextEnv = new Hashtable();
javax.naming.Context namingContext =
new NamingContext(contextEnv, getName());
- ContextAccessController.setSecurityToken(getName(), this);
- ContextBindings.bindContext(getName(), namingContext, this);
- ContextBindings.bindThread(getName(), this);
+ ContextAccessController.setSecurityToken(this, this);
+ ContextBindings.bindContext(this, namingContext, this);
+ ContextBindings.bindThread(this, this);
// Setting the context in read/write mode
- ContextAccessController.setWritable(getName(), this);
+ ContextAccessController.setWritable(this, this);
// Creating the comp subcontext
javax.naming.Context compCtx = namingContext.createSubcontext("comp");
@@ -3326,11 +3326,14 @@
log(sm.getString("standardContext.bindFailed", e));
}
-
// Setting the context in read only mode
- ContextAccessController.setReadOnly(getName());
+ ContextAccessController.setReadOnly(this);
+
+ ContextBindings.unbindThread(this, this);
- ContextBindings.unbindThread(getName(), this);
+ // Binding the naming context to the class loader
+ ContextBindings.bindClassLoader
+ (this, this, getLoader().getClassLoader());
}
1.7 +10 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
Index: StandardContextValve.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- StandardContextValve.java 2001/01/23 02:51:15 1.6
+++ StandardContextValve.java 2001/01/25 18:36:26 1.7
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
1.6 2001/01/23 02:51:15 craigmcc Exp $
- * $Revision: 1.6 $
- * $Date: 2001/01/23 02:51:15 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/StandardContextValve.java,v
1.7 2001/01/25 18:36:26 remm Exp $
+ * $Revision: 1.7 $
+ * $Date: 2001/01/25 18:36:26 $
*
* ====================================================================
*
@@ -89,7 +89,7 @@
* when processing HTTP requests.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.6 $ $Date: 2001/01/23 02:51:15 $
+ * @version $Revision: 1.7 $ $Date: 2001/01/25 18:36:26 $
*/
final class StandardContextValve
@@ -187,21 +187,25 @@
// Ask this Wrapper to process this Request
response.setContext(context);
+/*
if (context.isUseNaming()) {
try {
// Bind the thread to the context
- ContextBindings.bindThread(context.getName(), context);
+ ContextBindings.bindThread(context, context);
} catch (NamingException e) {
e.printStackTrace();
}
}
+*/
wrapper.invoke(request, response);
+/*
if (context.isUseNaming()) {
// Unbind the thread to the context
- ContextBindings.unbindThread(context.getName(), context);
+ ContextBindings.unbindThread(context, context);
}
+*/
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
