svn commit: r788151 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt java/org/apache/jasper/compiler/JspRuntimeContext.java webapps/docs/changelog.xml

Wed, 24 Jun 2009 12:36:15 -0700 

Author: markt
Date: Wed Jun 24 19:35:51 2009
New Revision: 788151

URL: http://svn.apache.org/viewvc?rev=788151&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38352
JSPs should have read/write access to the context's temp dir when running under 
a security manager

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspRuntimeContext.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Jun 24 19:35:51 2009
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,776921,776924,776935,776945,777464,77
 
7466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,784453,784602,784614,785381,785688,785768,785859,786468,786487,786667,787627,787770
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,776921,776924,776935,776945,777464,77
 
7466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=788151&r1=788150&r2=788151&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 24 19:35:51 2009
@@ -118,14 +118,6 @@
   +1: fhanik, markt, mturk
   -1: 
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38352
-  JSPs should have read/write access to the context's temp dir
-  http://svn.apache.org/viewvc?rev=786490&view=rev
-  +1: markt, fhanik
-  +1: mturk - however I agree with Bill Barker this needs further research
-              because it can bloat the tmp dir.
-  -1: 
-
 * Update to Apache Commons Pool 1.5.1
   Various fixes to prevent deadlocks, reduce syncs and make object allocation
   occur fair - ie objects are allocated to threads in the order that the 
threads

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspRuntimeContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspRuntimeContext.java?rev=788151&r1=788150&r2=788151&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspRuntimeContext.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/JspRuntimeContext.java 
Wed Jun 24 19:35:51 2009
@@ -393,16 +393,19 @@
                 docBase = docBase + "-";
                 permissionCollection.add(new FilePermission(docBase,"read"));
 
-                // Create a file read permission for web app tempdir (work)
-                // directory
+                // Spec says apps should have read/write for their temp
+                // directory. This is fine, as no security sensitive files, at
+                // least any that the app doesn't have full control of anyway,
+                // will be written here.
                 String workDir = options.getScratchDir().toString();
                 if (!workDir.endsWith(File.separator)){
                     permissionCollection.add
-                        (new FilePermission(workDir,"read"));
+                        (new FilePermission(workDir,"read,write"));
                     workDir = workDir + File.separator;
                 }
                 workDir = workDir + "-";
-                permissionCollection.add(new FilePermission(workDir,"read"));
+                permissionCollection.add(new FilePermission(
+                        workDir,"read,write,delete"));
 
                 // Allow the JSP to access 
org.apache.jasper.runtime.HttpJspBase
                 permissionCollection.add( new RuntimePermission(

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=788151&r1=788150&r2=788151&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Jun 24 19:35:51 2009
@@ -53,6 +53,11 @@
         (markt)
       </fix>
       <fix>
+        <bug>38352</bug>: Allow JSPs to write to the directory defined by
+        <code>javax.servlet.context.tempdir</code> when running under a 
security
+        manager. (markt)
+      </fix>
+      <fix>
         <bug>43343</bug>: Fix additional concurrency issues identified with the
         persistent session manager. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to