[tomcat] branch main updated: Security hardening. Deprecate getResources() and always return null.

Wed, 30 Mar 2022 12:23:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 1abcf3f  Security hardening. Deprecate getResources() and always 
return null.
1abcf3f is described below

commit 1abcf3f4d741c824ae490009fe32ce300f10eddc
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 30 20:22:49 2022 +0100

    Security hardening. Deprecate getResources() and always return null.
    
    This method is never used by Tomcat. If something accidently exposes the
    class loader then this method can be used to gain access to Tomcat
    internals.
---
 java/org/apache/catalina/loader/WebappClassLoaderBase.java | 7 ++++++-
 webapps/docs/changelog.xml                                 | 6 ++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java 
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index b10d4fc..0a0053e 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -428,10 +428,15 @@ public abstract class WebappClassLoaderBase extends 
URLClassLoader
     // ------------------------------------------------------------- Properties
 
     /**
+     * Unused. Always returns {@code null}.
+     *
      * @return associated resources.
+     *
+     * @deprecated This will be removed in Tomcat 10.1.x onwards
      */
+    @Deprecated
     public WebResourceRoot getResources() {
-        return this.resources;
+        return null;
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8115d94..61180d2 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,12 @@
         for an alternative setter with the same name that accepts a
         <code>String</code>. This is a security hardening measure. (markt)
       </fix>
+      <add>
+         Effectively disable the
+         <code>WebappClassLoaderBase.getResources()</code> method as it is not
+         used and if something accidently exposes the class loader this method
+         can be used to gain access to Tomcat internals. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to