Hi there,
had to re-setup my branch... Nevertheless, updated PR is available now.
Some last things...
The pattern for default sessionAttributeValueClassNameFilter must even
be extended to match String arrays as well (roles are stored that way).
In order to keep the pattern smaller, one option is to allow arrays for
all "base types":
Current pattern:
"java\\.lang\\.(?:Boolean|Integer|Long|Number|String)"
New pattern (short version):
"(\\[L)?java\\.lang\\.(?:Boolean|Integer|Long|Number|String);?"
+
"|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal"
In terms of CVE-2016-0714, an array of any of these types is not really
more insecure, right?
Otherwise, I could add String arrays to the default pattern explicitly:
Current pattern:
"java\\.lang\\.(?:Boolean|Integer|Long|Number|String)"
New pattern:
"java\\.lang\\.(?:Boolean|Integer|Long|Number|String)"
+
"|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal"
+ "|\\[Ljava.lang.String;"
Shall I update these patterns in context.xml files of the manager and
host-manager apps as well?
BTW, thanks a lot to all or you for supporting me :)
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
