svn commit: r1790465 - in /tomcat/trunk/java/org/apache/jasper: runtime/PageContextImpl.java security/SecurityClassLoad.java

[markt]

Author: markt
Date: Thu Apr  6 20:56:15 2017
New Revision: 1790465

URL: http://svn.apache.org/viewvc?rev=1790465&view=rev
Log:
Remove unnecessary privileged block from setAttribute.
I can't see anything in doSetAttribute that would trigger a security check.

Modified:
    tomcat/trunk/java/org/apache/jasper/runtime/PageContextImpl.java
    tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java

Modified: tomcat/trunk/java/org/apache/jasper/runtime/PageContextImpl.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/runtime/PageContextImpl.java?rev=1790465&r1=1790464&r2=1790465&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/runtime/PageContextImpl.java (original)
+++ tomcat/trunk/java/org/apache/jasper/runtime/PageContextImpl.java Thu Apr  6 
20:56:15 2017
@@ -19,8 +19,6 @@ package org.apache.jasper.runtime;
 
 import java.io.IOException;
 import java.io.Writer;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -51,7 +49,6 @@ import org.apache.jasper.Constants;
 import org.apache.jasper.compiler.Localizer;
 import org.apache.jasper.el.ELContextImpl;
 import org.apache.jasper.runtime.JspContextWrapper.ELContextWrapper;
-import org.apache.jasper.security.SecurityUtil;
 
 /**
  * Implementation of the PageContext class from the JSP spec. Also doubles as a
@@ -245,26 +242,12 @@ public class PageContextImpl extends Pag
     public void setAttribute(final String name, final Object o, final int 
scope) {
 
         if (name == null) {
-            throw new NullPointerException(Localizer
-                    .getMessage("jsp.error.attribute.null_name"));
+            throw new 
NullPointerException(Localizer.getMessage("jsp.error.attribute.null_name"));
         }
 
-        if (SecurityUtil.isPackageProtectionEnabled()) {
-            AccessController.doPrivileged(new PrivilegedAction<Void>() {
-                @Override
-                public Void run() {
-                    doSetAttribute(name, o, scope);
-                    return null;
-                }
-            });
+        if (o == null) {
+            removeAttribute(name, scope);
         } else {
-            doSetAttribute(name, o, scope);
-        }
-
-    }
-
-    private void doSetAttribute(String name, Object o, int scope) {
-        if (o != null) {
             switch (scope) {
             case PAGE_SCOPE:
                 attributes.put(name, o);
@@ -289,8 +272,6 @@ public class PageContextImpl extends Pag
             default:
                 throw new IllegalArgumentException("Invalid scope");
             }
-        } else {
-            removeAttribute(name, scope);
         }
     }
 

Modified: tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java?rev=1790465&r1=1790464&r2=1790465&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java 
(original)
+++ tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java Thu Apr 
 6 20:56:15 2017
@@ -51,8 +51,6 @@ public final class SecurityClassLoad {
             loader.loadClass( basePackage + "runtime.ProtectedFunctionMapper");
 
             loader.loadClass( basePackage + "runtime.PageContextImpl");
-            loader.loadClass( basePackage + "runtime.PageContextImpl$1");
-            loader.loadClass( basePackage + "runtime.PageContextImpl$2");
 
             loader.loadClass( basePackage + "runtime.JspContextWrapper");
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org