svn commit: r791335 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java

Sun, 05 Jul 2009 16:08:36 -0700 

Author: markt
Date: Sun Jul  5 23:08:11 2009
New Revision: 791335

URL: http://svn.apache.org/viewvc?rev=791335&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38352
Make temp dir writable to JSPs as well as servlets when running under a 
security manager

Modified:
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml
    
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=791335&r1=791334&r2=791335&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Sun Jul  5 23:08:11 2009
@@ -205,6 +205,11 @@
         (markt)
       </fix>
       <fix>
+        <bug>38352</bug>: Make the directory defined by
+        javax.servlet.context.tempdir readable for JSPs when running under a
+        security manager as required by the specification. (markt) 
+      </fix>
+      <fix>
         <bug>41606</bug>: Fix double initialisation of JSPs. Patch provided by
         Chris Halstead. (markt)
       </fix>

Modified: 
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java?rev=791335&r1=791334&r2=791335&view=diff
==============================================================================
--- 
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java
 (original)
+++ 
tomcat/jasper/tc5.5.x/src/share/org/apache/jasper/compiler/JspRuntimeContext.java
 Sun Jul  5 23:08:11 2009
@@ -384,16 +384,19 @@
                 docBase = docBase + "-";
                 permissionCollection.add(new FilePermission(docBase,"read"));
 
-                // Create a file read permission for web app tempdir (work)
-                // directory
+                // Spec says apps should have read/write for their temp
+                // directory. This is fine, as no security sensitive files, at
+                // least any that the app doesn't have full control of anyway,
+                // will be written here.
                 String workDir = options.getScratchDir().toString();
                 if (!workDir.endsWith(File.separator)){
                     permissionCollection.add
-                        (new FilePermission(workDir,"read"));
+                        (new FilePermission(workDir,"read,write"));
                     workDir = workDir + File.separator;
                 }
                 workDir = workDir + "-";
-                permissionCollection.add(new FilePermission(workDir,"read"));
+                permissionCollection.add(new FilePermission(
+                        workDir,"read,write,delete"));
 
                 // Allow the JSP to access 
org.apache.jasper.runtime.HttpJspBase
                 permissionCollection.add( new RuntimePermission(



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to