changelog.xml

markt Fri, 18 May 2018 00:56:29 -0700

Author: markt
Date: Fri May 18 07:56:10 2018
New Revision: 1831828

URL: http://svn.apache.org/viewvc?rev=1831828&view=rev
Log:
Ensure that the web application resources implementation does not incorrectly 
cache results for resources that are only visible as class loader resources.


Modified:
    tomcat/trunk/java/org/apache/catalina/webresources/Cache.java
    tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/webresources/Cache.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/Cache.java?rev=1831828&r1=1831827&r2=1831828&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/Cache.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/Cache.java Fri May 18 
07:56:10 2018
@@ -74,8 +74,8 @@ public class Cache {
         if (cacheEntry == null) {
             // Local copy to ensure consistency
             int objectMaxSizeBytes = getObjectMaxSizeBytes();
-            CachedResource newCacheEntry =
-                    new CachedResource(this, root, path, getTtl(), 
objectMaxSizeBytes);
+            CachedResource newCacheEntry = new CachedResource(this, root, 
path, getTtl(),
+                    objectMaxSizeBytes, useClassLoaderResources);
 
             // Concurrent callers will end up with the same CachedResource
             // instance
@@ -134,8 +134,8 @@ public class Cache {
         if (cacheEntry == null) {
             // Local copy to ensure consistency
             int objectMaxSizeBytes = getObjectMaxSizeBytes();
-            CachedResource newCacheEntry =
-                    new CachedResource(this, root, path, getTtl(), 
objectMaxSizeBytes);
+            CachedResource newCacheEntry = new CachedResource(this, root, 
path, getTtl(),
+                    objectMaxSizeBytes, useClassLoaderResources);
 
             // Concurrent callers will end up with the same CachedResource
             // instance

Modified: tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java?rev=1831828&r1=1831827&r2=1831828&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java Fri 
May 18 07:56:10 2018
@@ -41,6 +41,7 @@ public class CachedResource implements W
     private final String webAppPath;
     private final long ttl;
     private final int objectMaxSizeBytes;
+    private final boolean usesClassLoaderResources;
 
     private volatile WebResource webResource;
     private volatile WebResource[] webResources;
@@ -57,15 +58,27 @@ public class CachedResource implements W
 
 
     public CachedResource(Cache cache, StandardRoot root, String path, long 
ttl,
-            int objectMaxSizeBytes) {
+            int objectMaxSizeBytes, boolean usesClassLoaderResources) {
         this.cache = cache;
         this.root = root;
         this.webAppPath = path;
         this.ttl = ttl;
         this.objectMaxSizeBytes = objectMaxSizeBytes;
+        this.usesClassLoaderResources = usesClassLoaderResources;
     }
 
     protected boolean validateResource(boolean useClassLoaderResources) {
+        // It is possible that some resources will only be visible for a given
+        // value of useClassLoaderResources. Therefore, if the lookup is made
+        // with a different value of useClassLoaderResources than was used when
+        // creating the cache entry, invalidate the entry. This should have
+        // minimal performance impact as it would be unusual for a resource to
+        // be looked up both as a static resource and as a class loader
+        // resource.
+        if (usesClassLoaderResources != useClassLoaderResources) {
+            return false;
+        }
+
         long now = System.currentTimeMillis();
 
         if (webResource == null) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1831828&r1=1831827&r2=1831828&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May 18 07:56:10 2018
@@ -96,6 +96,11 @@
         <bug>62343</bug>: Make CORS filter defaults more secure. This is the 
fix
         for CVE-2018-8014. (markt)
       </fix>
+      <fix>
+        Ensure that the web application resources implementation does not
+        incorrectly cache results for resources that are only visible as class
+        loader resources. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1831828 - in /tomcat/trunk: java/org/apache/catalina/webresources/Cache.java java/org/apache/catalina/webresources/CachedResource.java webapps/docs/changelog.xml

Reply via email to