Projects
Eulaceura:Factory
velocity
_service:obs_scm:CVE-2020-13936-1.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:CVE-2020-13936-1.patch of Package velocity
From 3539136e0e1805164fb0a0c75248dd51e8a5672a Mon Sep 17 00:00:00 2001 From: Will Glass-Husain <wglass@forio.com> Date: Thu, 16 Jul 2020 22:09:42 -0700 Subject: [PATCH] disallow ClassLoader, Thread, and subclasses. --- .../apache/velocity/runtime/defaults/velocity.properties | 7 +------ .../util/introspection/SecureIntrospectorImpl.java | 9 +++++++++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties index 7fac119..504cbcc 100644 --- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties +++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties @@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec introspector.restrict.packages = java.lang.reflect -# The two most dangerous classes +## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl introspector.restrict.classes = java.lang.Class -introspector.restrict.classes = java.lang.ClassLoader - -# Restrict these for extra safety - introspector.restrict.classes = java.lang.Compiler introspector.restrict.classes = java.lang.InheritableThreadLocal introspector.restrict.classes = java.lang.Package @@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime introspector.restrict.classes = java.lang.RuntimePermission introspector.restrict.classes = java.lang.SecurityManager introspector.restrict.classes = java.lang.System -introspector.restrict.classes = java.lang.Thread introspector.restrict.classes = java.lang.ThreadGroup introspector.restrict.classes = java.lang.ThreadLocal diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java index f317b1c..6907c69 100644 --- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java @@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros return true; } + /** + * Always disallow ClassLoader, Thread and subclasses + */ + if (ClassLoader.class.isAssignableFrom(clazz) || + Thread.class.isAssignableFrom(clazz)) + { + return false; + } + /** * check the classname (minus any array info) * whether it matches disallowed classes or packages -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2