svn commit: r1790476 - in /tomcat/trunk: java/org/apache/jasper/runtime/JspWriterImpl.java java/org/apache/jasper/security/SecurityClassLoad.java webapps/docs/changelog.xml

Thu, 06 Apr 2017 15:06:36 -0700 

Author: markt
Date: Thu Apr  6 22:06:15 2017
New Revision: 1790476

URL: http://svn.apache.org/viewvc?rev=1790476&view=rev
Log:
Remove unnecessary privileged block for getLocalizeMessage.
I can't see anything in getLocalizeMessage that would trigger a security check. 
I checked back through the svn history and it was the JSP TCK that triggered 
this. I've been unable to recreate that issue with this method removed.

Modified:
    tomcat/trunk/java/org/apache/jasper/runtime/JspWriterImpl.java
    tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/jasper/runtime/JspWriterImpl.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/runtime/JspWriterImpl.java?rev=1790476&r1=1790475&r2=1790476&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/runtime/JspWriterImpl.java (original)
+++ tomcat/trunk/java/org/apache/jasper/runtime/JspWriterImpl.java Thu Apr  6 
22:06:15 2017
@@ -19,15 +19,12 @@ package org.apache.jasper.runtime;
 
 import java.io.IOException;
 import java.io.Writer;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 
 import javax.servlet.ServletResponse;
 import javax.servlet.jsp.JspWriter;
 
 import org.apache.jasper.Constants;
 import org.apache.jasper.compiler.Localizer;
-import org.apache.jasper.security.SecurityUtil;
 
 /**
  * Write text to a character-output stream, buffering characters so as
@@ -119,19 +116,6 @@ public class JspWriterImpl extends JspWr
         }
     }
 
-    private String getLocalizeMessage(final String message){
-        if (SecurityUtil.isPackageProtectionEnabled()){
-            return AccessController.doPrivileged(new 
PrivilegedAction<String>(){
-                @Override
-                public String run(){
-                    return Localizer.getMessage(message);
-                }
-            });
-        } else {
-            return Localizer.getMessage(message);
-        }
-    }
-
     /**
      * Discard the output buffer.
      */
@@ -140,10 +124,10 @@ public class JspWriterImpl extends JspWr
         if ((bufferSize == 0) && (out != null))
             // clear() is illegal after any unbuffered output (JSP.5.5)
             throw new IllegalStateException(
-                    getLocalizeMessage("jsp.error.ise_on_clear"));
+                    Localizer.getMessage("jsp.error.ise_on_clear"));
         if (flushed)
             throw new IOException(
-                    
getLocalizeMessage("jsp.error.attempt_to_clear_flushed_buffer"));
+                    
Localizer.getMessage("jsp.error.attempt_to_clear_flushed_buffer"));
         ensureOpen();
         nextChar = 0;
     }
@@ -152,13 +136,13 @@ public class JspWriterImpl extends JspWr
     public void clearBuffer() throws IOException {
         if (bufferSize == 0)
             throw new IllegalStateException(
-                    getLocalizeMessage("jsp.error.ise_on_clear"));
+                    Localizer.getMessage("jsp.error.ise_on_clear"));
         ensureOpen();
         nextChar = 0;
     }
 
     private final void bufferOverflow() throws IOException {
-        throw new IOException(getLocalizeMessage("jsp.error.overflow"));
+        throw new IOException(Localizer.getMessage("jsp.error.overflow"));
     }
 
     /**

Modified: tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java?rev=1790476&r1=1790475&r2=1790476&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java 
(original)
+++ tomcat/trunk/java/org/apache/jasper/security/SecurityClassLoad.java Thu Apr 
 6 22:06:15 2017
@@ -58,8 +58,6 @@ public final class SecurityClassLoad {
             SecurityUtil.isPackageProtectionEnabled();
 
             loader.loadClass( basePackage + "servlet.JspServletWrapper");
-
-            loader.loadClass( basePackage + "runtime.JspWriterImpl$1");
         } catch (ClassNotFoundException ex) {
             log.error("SecurityClassLoad", ex);
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1790476&r1=1790475&r2=1790476&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Apr  6 22:06:15 2017
@@ -65,6 +65,10 @@
         running HTTP connector where TLS is not enabled. (markt)
       </fix>
       <fix>
+        <bug>47214</bug>: Refactor code so that explicitly referenced inner
+        classes are given explit names rather than being anonymous. (markt)
+      </fix>
+      <fix>
         <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> 
and
         <code>META-INF/MANIFEST.MF</code> entries for Jar files located in
         <code>/WEB-INF/lib</code> when running a web application from a packed
@@ -81,6 +85,10 @@
   <subsection name="Jasper">
     <changelog>
       <fix>
+        <bug>47214</bug>: Refactor code so that explicitly referenced inner
+        classes are given explit names rather than being anonymous. (markt)
+      </fix>
+      <fix>
         <bug>60925</bug>: Improve the handling of access to properties defined
         by interfaces when a <code>BeanELResolver</code> is used under a
         <code>SecurityManager</code>. (markt)



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to