Author: markt
Date: Wed Jan 27 20:35:36 2016
New Revision: 1727182
URL: http://svn.apache.org/viewvc?rev=1727182&view=rev
Log:
When using the new sessionAttributeValueClassNameFilter, apply the filter
earlier rather than loading the class and then deciding to filter it out.
When a SecurityManager is used, enable filtering by default.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StandardManager.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StoreBase.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/LocalStrings.properties
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/cluster-manager.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jan 27 20:35:36 2016
@@ -1,3 +1,3 @@
-/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727043,1727158
-/tomcat/tc8.0.x/trunk:1637685,1637709,1640674,1641726,1641729-1641730,1643513,1643539,1643571,1643581-1643582,1644018,1648816,1656300,1658801-1658803,1658811,1659522,1663997,1664175,1665086,1666967,1666988,1668634,1669801,1676556,1681182,1681840,1681864,1685827,1689921,1693108,1694291,1694427,1694873,1696379,1701944,1710347,1712618,1712655,1713872,1713998,1714004,1714538,1715207,1716216-1716217,1716414,1717208-1717209,1720235,1720396,1720442,1720463,1721813,1721882,1722800,1723130,1724434,1724674,1724792,1724803,1725929,1725963-1725965,1725970,1725974,1726172,1726175,1726179-1726182,1726195-1726198,1726200,1726226,1726576,1726630,1727029,1727037
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,656018,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770
809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,890139,890265
,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907727,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,943112,944409,944416,945231,945808,945835,945841,946686,94
8057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1041892,1042022,1042029,1042447,1042452,1042494,1043983,1044944,1044987,1049264,1050249,1055055,1055236,1055458,1055975,1056264,1056828,1056889,1059881,1060486,1061412,1061442,1061446,1061503,1062398,1064652,1066244,1066772,1067039,1067139,1069824,1070139,1070420,1070609,1072042,1073184,1073393,1075458,1076212,1078409,1078412,1079801,1081118,1081334,1088179,1088460,1090022,1
094069,1094089,1095138,1097899,1099575,1099586,1099772,1099789,1100145,1100822,1101094,1101144,1124680,1130774,1133014,1137862,1137996,1138950,1138953,1139280,1140693,1141104,1141441,1142043,1142904,1143134,1143150,1145137,1148216,1148471,1152601,1156171,1156519,1164567,1167394,1172233-1172234,1172236,1173614,1174353,1174882,1174884,1175158,1175190,1176799,1177125,1177245,1177850,1177862,1178228,1178233,1178684,1181028,1181136,1184917,1184919,1185200,1185588,1186011,1186104,1186123,1186137,1186153,1186378,1186712,1186763,1186949,1187381,1189240,1189386,1190388-1190389,1190474,1198622,1201576,1203091,1224801,1233426,1243034,1243038,1244567,1298140,1298628-1298629,1304468,1311997,1331766,1333161,1333173,1342498,1342503,1348425,1348461-1348495,1348989,1350294,1351056,1351636-1351640,1352011,1354685,1354847,1354856,1356125,1359981,1371283,1409007,1413552,1413556,1413562,1417282,1430079,1430481,1430567,1435606,1435636,1435642,1438411,1439054,1441348,1446640,1446650,1447012,1453105,145311
2,1456666-1456678,1456713,1456721,1457968,1460342,1460533,1484862,1486875,1492570,1494143,1500062,1503851,1505843,1513148-1513149,1526469,1533312,1536520,1539157,1539173,1540374,1552804,1555163,1558811,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561190-1561192,1561635,1561640,1561732,1562742,1562746,1564309,1564312,1568921,1574004,1577315,1577324,1577463,1578812-1578813,1586658,1586894,1586959,1588193,1588197,1589737-1589738,1589763,1589837,1589842,1589980,1590018,1590302,1590646,1590648,1590835,1590842,1590911,1593259,1593261,1593335,1593834,1594229,1595171,1595289,1597532,1600955,1600963,1600978,1600984,1601329-1601330,1601332,1601855,1608963,1609061,1609593,1617362,1617365,1617383,1617456,1623392,1624247,1626579,1627033,1628978,1631155,1631520,1632584,1634117,1634130,1637684,1637695,1640655-1640658,1641656,1641660,1641692,1641707-1641718,1641721-1641722,1642564,1642606,1643045,1643054,1643570,1644017,1648815,1656299,1658799,1658802,1659521,1663995,1664174,1665085,166
6966,1666985,1668630,1669800,1676552,1681837-1681838,1681854,1685826,1687242,1689918,1693105,1694290,1694872,1696378,1701940,1710346,1712617,1712654,1713871,1713997,1714002,1715188,1715206,1716213-1716214,1716413,1716640,1716856,1716858,1716881-1716882,1716886,1716894,1720234,1720394,1720439,1720462,1721812,1721881,1722532,1722799,1722807,1722824,1722828-1722829,1722831,1722859,1723127,1723707,1723736,1724427,1724433,1724673,1724788,1724863,1725113,1725183,1725199,1725202,1725204,1725207,1725263-1725264,1725266,1725278,1725282,1725405,1725646,1725649-1725652,1725696-1725697,1725926,1726177,1726628,1726676,1726926
+/tomcat/tc7.0.x/trunk:1190476,1224802,1243045,1298635,1304471,1311997,1312007,1331772,1333164,1333176,1348992,1354866,1371298,1371302,1371620,1402110,1409014,1413553,1413557,1413563,1430083,1438415,1446641-1446660,1447013,1453106,1453119,1484919,1486877,1500065,1503852,1505844,1513151,1521040,1526470,1536524,1539176-1539177,1544469,1544473,1552805,1558894,1558917,1561368,1561382,1561386,1561552,1561561,1561636,1561641,1561643,1561737,1562748,1564317,1568922,1570163,1577328,1577464-1577465,1578814,1586659,1586897,1586960,1588199,1588997,1589740,1589851,1589997,1590019,1590028,1590337,1590492,1590651,1590838,1590845,1590848,1590912,1593262,1593288,1593371,1593835,1594230,1595174,1595366,1600956,1601333,1601856,1601909,1609079,1609606,1617364,1617374,1617433,1617457-1617458,1624249,1626579,1627420,1627469,1632586,1637686,1637711,1640675,1642045,1643515,1643540,1643572,1643585-1643586,1643642,1643647,1644019,1648817,1656301,1658815,1659523,1659564,1664001,1664176,1665087,1666968,1666989
,1668541,1668635,1669802,1676557,1681183,1681841,1681865,1681867,1685829,1693109,1694293,1694433,1694875,1696381,1701945,1710353,1712656,1713873,1714000,1714005,1714540,1715213,1716221,1716417,1717107,1717210,1717212,1720236,1720398,1720443,1720464,1721814,1721883,1722645,1722801,1723151,1724435,1724553,1724675,1724797,1724806,1725931,1726631,1726808,1726813,1726815,1726817,1726819,1726917,1726919,1726922-1726924,1727031,1727034,1727043,1727158
+/tomcat/tc8.0.x/trunk:1637685,1637709,1640674,1641726,1641729-1641730,1643513,1643539,1643571,1643581-1643582,1644018,1648816,1656300,1658801-1658803,1658811,1659522,1663997,1664175,1665086,1666967,1666988,1668634,1669801,1676556,1681182,1681840,1681864,1685827,1689921,1693108,1694291,1694427,1694873,1696379,1701944,1710347,1712618,1712655,1713872,1713998,1714004,1714538,1715207,1716216-1716217,1716414,1717208-1717209,1720235,1720396,1720442,1720463,1721813,1721882,1722800,1723130,1724434,1724674,1724792,1724803,1725929,1725963-1725965,1725970,1725974,1726172,1726175,1726179-1726182,1726195-1726198,1726200,1726203,1726226,1726576,1726630,1727029,1727037
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,656018,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770
809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,890139,890265
,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907727,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,943112,944409,944416,945231,945808,945835,945841,946686,94
8057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1041892,1042022,1042029,1042447,1042452,1042494,1043983,1044944,1044987,1049264,1050249,1055055,1055236,1055458,1055975,1056264,1056828,1056889,1059881,1060486,1061412,1061442,1061446,1061503,1062398,1064652,1066244,1066772,1067039,1067139,1069824,1070139,1070420,1070609,1072042,1073184,1073393,1075458,1076212,1078409,1078412,1079801,1081118,1081334,1088179,1088460,1090022,1
094069,1094089,1095138,1097899,1099575,1099586,1099772,1099789,1100145,1100822,1101094,1101144,1124680,1130774,1133014,1137862,1137996,1138950,1138953,1139280,1140693,1141104,1141441,1142043,1142904,1143134,1143150,1145137,1148216,1148471,1152601,1156171,1156519,1164567,1167394,1172233-1172234,1172236,1173614,1174353,1174882,1174884,1175158,1175190,1176799,1177125,1177245,1177850,1177862,1178228,1178233,1178684,1181028,1181136,1184917,1184919,1185200,1185588,1186011,1186104,1186123,1186137,1186153,1186378,1186712,1186763,1186949,1187381,1189240,1189386,1190388-1190389,1190474,1198622,1201576,1203091,1224801,1233426,1243034,1243038,1244567,1298140,1298628-1298629,1304468,1311997,1331766,1333161,1333173,1342498,1342503,1348425,1348461-1348495,1348989,1350294,1351056,1351636-1351640,1352011,1354685,1354847,1354856,1356125,1359981,1371283,1409007,1413552,1413556,1413562,1417282,1430079,1430481,1430567,1435606,1435636,1435642,1438411,1439054,1441348,1446640,1446650,1447012,1453105,145311
2,1456666-1456678,1456713,1456721,1457968,1460342,1460533,1484862,1486875,1492570,1494143,1500062,1503851,1505843,1513148-1513149,1526469,1533312,1536520,1539157,1539173,1540374,1552804,1555163,1558811,1561054-1561065,1561067-1561070,1561072-1561075,1561083,1561190-1561192,1561635,1561640,1561732,1562742,1562746,1564309,1564312,1568921,1574004,1577315,1577324,1577463,1578812-1578813,1586658,1586894,1586959,1588193,1588197,1589737-1589738,1589763,1589837,1589842,1589980,1590018,1590302,1590646,1590648,1590835,1590842,1590911,1593259,1593261,1593335,1593834,1594229,1595171,1595289,1597532,1600955,1600963,1600978,1600984,1601329-1601330,1601332,1601855,1608963,1609061,1609593,1617362,1617365,1617383,1617456,1623392,1624247,1626579,1627033,1628978,1631155,1631520,1632584,1634117,1634130,1637684,1637695,1640655-1640658,1641656,1641660,1641692,1641707-1641718,1641721-1641722,1642564,1642606,1643045,1643054,1643570,1644017,1648815,1656299,1658799,1658802,1659521,1663995,1664174,1665085,166
6966,1666985,1668630,1669800,1676552,1681837-1681838,1681854,1685826,1687242,1689918,1693105,1694290,1694872,1696378,1701940,1710346,1712617,1712654,1713871,1713997,1714002,1715188,1715206,1716213-1716214,1716413,1716640,1716856,1716858,1716881-1716882,1716886,1716894,1720234,1720394,1720439,1720462,1721812,1721881,1722532,1722799,1722807,1722824,1722828-1722829,1722831,1722859,1723127,1723707,1723736,1724427,1724433,1724673,1724788,1724863,1725113,1725183,1725199,1725202,1725204,1725207,1725263-1725264,1725266,1725278,1725282,1725405,1725646,1725649-1725652,1725696-1725697,1725914,1725926,1726177,1726202,1726628,1726676,1726926
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/ManagerBase.java Wed
Jan 27 20:35:36 2016
@@ -280,8 +280,31 @@ public abstract class ManagerBase implem
}
- // ------------------------------------------------------------- Properties
+ // ------------------------------------------------------------
Constructors
+ public ManagerBase() {
+ if (Globals.IS_SECURITY_ENABLED) {
+ // Minimum set required for default distribution/persistence to
work
+ // plus String
+ setSessionAttributeValueClassNameFilter(
+ "java\\.lang\\.(?:Boolean|Integer|Long|Number|String)");
+ setWarnOnSessionAttributeFilterFailure(true);
+ }
+ }
+
+
+ // --------------------------------------------------------------
Properties
+
+ /**
+ * Obtain the regular expression used to filter session attribute based on
+ * attribute name. The regular expression is anchored so it must match the
+ * entire name
+ *
+ * @return The regular expression currently used to filter attribute names.
+ * {@code null} means no filter is applied. If an empty string is
+ * specified then no names will match the filter and all attributes
+ * will be blocked.
+ */
public String getSessionAttributeNameFilter() {
if (sessionAttributeNamePattern == null) {
return null;
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StandardManager.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StandardManager.java?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StandardManager.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StandardManager.java
Wed Jan 27 20:35:36 2016
@@ -43,7 +43,7 @@ import org.apache.catalina.Loader;
import org.apache.catalina.Session;
import org.apache.catalina.util.CustomObjectInputStream;
import org.apache.catalina.util.LifecycleSupport;
-
+import org.apache.juli.logging.Log;
import org.apache.catalina.security.SecurityUtil;
/**
@@ -349,17 +349,21 @@ public class StandardManager
ObjectInputStream ois = null;
Loader loader = null;
ClassLoader classLoader = null;
+ Log logger = null;
try {
fis = new FileInputStream(file.getAbsolutePath());
bis = new BufferedInputStream(fis);
loader = container.getLoader();
+ logger = container.getLogger();
if (loader != null) {
classLoader = loader.getClassLoader();
}
if (classLoader == null) {
classLoader = getClass().getClassLoader();
}
- ois = new CustomObjectInputStream(bis, classLoader);
+ ois = new CustomObjectInputStream(bis, classLoader, logger,
+ getSessionAttributeValueClassNamePattern(),
+ getWarnOnSessionAttributeFilterFailure());
} catch (FileNotFoundException e) {
if (log.isDebugEnabled()) {
log.debug("No persisted data file found");
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StoreBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StoreBase.java?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StoreBase.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/session/StoreBase.java Wed
Jan 27 20:35:36 2016
@@ -242,7 +242,20 @@ public abstract class StoreBase
*/
protected ObjectInputStream getObjectInputStream(InputStream is) throws
IOException {
BufferedInputStream bis = new BufferedInputStream(is);
- return new CustomObjectInputStream(bis,
Thread.currentThread().getContextClassLoader());
+
+ CustomObjectInputStream ois;
+ ClassLoader classLoader =
Thread.currentThread().getContextClassLoader();
+
+ if (manager instanceof ManagerBase) {
+ ManagerBase managerBase = (ManagerBase) manager;
+ ois = new CustomObjectInputStream(bis, classLoader,
manager.getContainer().getLogger(),
+ managerBase.getSessionAttributeValueClassNamePattern(),
+ managerBase.getWarnOnSessionAttributeFilterFailure());
+ } else {
+ ois = new CustomObjectInputStream(bis, classLoader);
+ }
+
+ return ois;
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/CustomObjectInputStream.java
Wed Jan 27 20:35:36 2016
@@ -18,9 +18,17 @@ package org.apache.catalina.util;
import java.io.InputStream;
import java.io.IOException;
+import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.lang.reflect.Proxy;
+import java.util.Map;
+import java.util.WeakHashMap;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.regex.Pattern;
+
+import org.apache.juli.logging.Log;
+import org.apache.tomcat.util.res.StringManager;
/**
* Custom subclass of <code>ObjectInputStream</code> that loads from the
@@ -33,14 +41,27 @@ import java.lang.reflect.Proxy;
*/
public final class CustomObjectInputStream extends ObjectInputStream {
+ private static final StringManager sm = StringManager.getManager(
+ CustomObjectInputStream.class.getPackage().getName());
+
+ private static final WeakHashMap<ClassLoader, Map<String,Boolean>>
reportedClassCache =
+ new WeakHashMap<ClassLoader, Map<String,Boolean>>();
+
/**
* The class loader we will use to resolve classes.
*/
private ClassLoader classLoader = null;
+ private final Map<String,Boolean> reportedClasses;
+ private final Log log;
+
+ private final Pattern allowedClassNamePattern;
+ private final String allowedClassNameFilter;
+ private final boolean warnOnFailure;
/**
- * Construct a new instance of CustomObjectInputStream
+ * Construct a new instance of CustomObjectInputStream without any
filtering
+ * of deserialized classes.
*
* @param stream The input stream we will read from
* @param classLoader The class loader used to instantiate objects
@@ -48,8 +69,54 @@ public final class CustomObjectInputStre
* @exception IOException if an input/output error occurs
*/
public CustomObjectInputStream(InputStream stream, ClassLoader
classLoader) throws IOException {
+ this(stream, classLoader, null, null, false);
+ }
+
+
+ /**
+ * Construct a new instance of CustomObjectInputStream with filtering of
+ * deserialized classes.
+ *
+ * @param stream The input stream we will read from
+ * @param classLoader The class loader used to instantiate objects
+ * @param log The logger to use to report any issues. It may only be null
if
+ * the filterMode does not require logging
+ * @param allowedClassNamePattern The regular expression to use to filter
+ * deserialized classes. The fully qualified
+ * class name must match this pattern for
+ * deserialization to be allowed if
filtering
+ * is enabled.
+ * @param warnOnFailure Should any failures be logged?
+ *
+ * @exception IOException if an input/output error occurs
+ */
+ public CustomObjectInputStream(InputStream stream, ClassLoader classLoader,
+ Log log, Pattern allowedClassNamePattern, boolean warnOnFailure)
+ throws IOException {
super(stream);
+ if (log == null && allowedClassNamePattern != null && warnOnFailure) {
+ throw new IllegalArgumentException(
+ sm.getString("customObjectInputStream.logRequired"));
+ }
this.classLoader = classLoader;
+ this.log = log;
+ this.allowedClassNamePattern = allowedClassNamePattern;
+ if (allowedClassNamePattern == null) {
+ this.allowedClassNameFilter = null;
+ } else {
+ this.allowedClassNameFilter = allowedClassNamePattern.toString();
+ }
+ this.warnOnFailure = warnOnFailure;
+
+ Map<String,Boolean> reportedClasses;
+ synchronized (reportedClassCache) {
+ reportedClasses = reportedClassCache.get(classLoader);
+ if (reportedClasses == null) {
+ reportedClasses = new ConcurrentHashMap<String,Boolean>();
+ reportedClassCache.put(classLoader, reportedClasses);
+ }
+ }
+ this.reportedClasses = reportedClasses;
}
@@ -65,8 +132,24 @@ public final class CustomObjectInputStre
@Override
public Class<?> resolveClass(ObjectStreamClass classDesc)
throws ClassNotFoundException, IOException {
+
+ String name = classDesc.getName();
+ if (allowedClassNamePattern != null) {
+ boolean allowed = allowedClassNamePattern.matcher(name).matches();
+ if (!allowed) {
+ boolean doLog = warnOnFailure && reportedClasses.put(name,
Boolean.FALSE) == null;
+ String msg = sm.getString("customObjectInputStream.nomatch",
name, allowedClassNameFilter);
+ if (doLog) {
+ log.warn(msg);
+ } else if (log.isDebugEnabled()) {
+ log.debug(msg);
+ }
+ throw new InvalidClassException(msg);
+ }
+ }
+
try {
- return Class.forName(classDesc.getName(), false, classLoader);
+ return Class.forName(name, false, classLoader);
} catch (ClassNotFoundException e) {
try {
// Try also the superclass because of primitive types
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/LocalStrings.properties?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/LocalStrings.properties
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/LocalStrings.properties
Wed Jan 27 20:35:36 2016
@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are
resourceSet.locked=No modifications are allowed to a locked ResourceSet
hexUtil.bad=Bad hexadecimal digit
hexUtil.odd=Odd number of hexadecimal digits
+customObjectInputStream.logRequired=A valid logger is required for class name
filtering with logging
+customObjectInputStream.nomatch=The class [{0}] did not match the regular
expression [{1}] for classes allowed to be deserialized
#Default Messages Utilized by the ExtensionValidator
extensionValidator.web-application-manifest=Web Application Manifest
extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]:
Required extension "{2}" not found.
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Jan 27 20:35:36 2016
@@ -144,7 +144,8 @@
based on the implementation class of the value and optional
<code>WARN</code> level logging if an attribute is filtered. These
options are available for all of the Manager implementations that ship
- with Tomcat. (markt)
+ with Tomcat. When a <code>SecurityManager</code> is used filtering will
+ be enabled by default. (markt)
</add>
</changelog>
</subsection>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/cluster-manager.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/cluster-manager.xml?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/cluster-manager.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/cluster-manager.xml Wed Jan 27
20:35:36 2016
@@ -141,7 +141,9 @@
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used.</p>
+ <code>null</code> will be used unless a <code>SecurityManager</code> is
+ enabled in which case the default will be
+ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
<p>If <strong>sessionAttributeNameFilter</strong> or
@@ -149,7 +151,8 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code>.</p>
+ <code>false</code> unless a <code>SecurityManager</code> is enabled in
+ which case the default will be <code>true</code>.</p>
</attribute>
</attributes>
</subsection>
@@ -192,7 +195,9 @@
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used.</p>
+ <code>null</code> will be used unless a <code>SecurityManager</code> is
+ enabled in which case the default will be
+ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
<p>If <strong>sessionAttributeNameFilter</strong> or
@@ -200,7 +205,8 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code>.</p>
+ <code>false</code> unless a <code>SecurityManager</code> is enabled in
+ which case the default will be <code>true</code>.</p>
</attribute>
</attributes>
</subsection>
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml?rev=1727182&r1=1727181&r2=1727182&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/manager.xml Wed Jan 27 20:35:36
2016
@@ -194,7 +194,9 @@
length or <code>null</code>, all attributes are eligible for
distribution. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used.</p>
+ <code>null</code> will be used unless a <code>SecurityManager</code> is
+ enabled in which case the default will be
+ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
@@ -203,7 +205,8 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code>.</p>
+ <code>false</code> unless a <code>SecurityManager</code> is enabled in
+ which case the default will be <code>true</code>.</p>
</attribute>
</attributes>
@@ -348,7 +351,9 @@
length or <code>null</code>, all attributes are eligible for
distribution. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used.</p>
+ <code>null</code> will be used unless a <code>SecurityManager</code> is
+ enabled in which case the default will be
+ <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
@@ -357,7 +362,8 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code>.</p>
+ <code>false</code> unless a <code>SecurityManager</code> is enabled in
+ which case the default will be <code>true</code>.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
