[tomcat] branch 8.5.x updated: Security hardening. Deprecate getResources() and always return null.

Wed, 30 Mar 2022 12:26:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 530108c  Security hardening. Deprecate getResources() and always 
return null.
530108c is described below

commit 530108cb568ba7bb51594d0ecfc2421db2e4bf53
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Mar 30 20:22:49 2022 +0100

    Security hardening. Deprecate getResources() and always return null.
    
    This method is never used by Tomcat. If something accidently exposes the
    class loader then this method can be used to gain access to Tomcat
    internals.
---
 java/org/apache/catalina/loader/WebappClassLoaderBase.java | 7 ++++++-
 webapps/docs/changelog.xml                                 | 6 ++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java 
b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 3d0ac44..e6d0707 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -431,10 +431,15 @@ public abstract class WebappClassLoaderBase extends 
URLClassLoader
     // ------------------------------------------------------------- Properties
 
     /**
+     * Unused. Always returns {@code null}.
+     *
      * @return associated resources.
+     *
+     * @deprecated This will be removed in Tomcat 10.1.x onwards
      */
+    @Deprecated
     public WebResourceRoot getResources() {
-        return this.resources;
+        return null;
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3c4c4d1..c9c2ab1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -116,6 +116,12 @@
         Harden the CredentialHandler implementations by switching to a
         constant-time implementation for credential comparisons. 
(schultz/markt)
       </scode>
+      <add>
+         Effectively disable the
+         <code>WebappClassLoaderBase.getResources()</code> method as it is not
+         used and if something accidently exposes the class loader this method
+         can be used to gain access to Tomcat internals. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to