Fix security issues

Kin Man Chung · Kin Man Chung · commit 77069585c12d · 2014-07-23T17:16:20.000Z
svn path=/trunk/; revision=1478
diff --git a/impl/pom.xml b/impl/pom.xml
@@ -291,7 +291,7 @@
         <dependency>
             <groupId>org.glassfish</groupId>
             <artifactId>javax.el</artifactId>
-            <version>[3.0.1-b02,)</version>
+            <version>[3.0.1-b05,)</version>
         </dependency>
         <dependency>
             <groupId>javax.servlet.jsp</groupId>
diff --git a/impl/src/main/java/org/apache/jasper/Constants.java b/impl/src/main/java/org/apache/jasper/Constants.java
@@ -291,6 +291,14 @@ public class Constants {
      * The name of the JSP engine.  Used for X-Powered-By identification in
      * the response header
      */
-    public static final String JSP_NAME = "JSP/2.2";
+    public static final String JSP_NAME = "JSP/2.3";
+
+    /**
+     * Name of the ServletContext init-param that determines if the XML parsers
+     * will block the resolution of external entities.
+     */
+    public static final String XML_BLOCK_EXTERNAL_INIT_PARAM =
+            "org.apache.jasper.XML_BLOCK_EXTERNAL";
+
 }
 
diff --git a/impl/src/main/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java b/impl/src/main/java/org/apache/jasper/compiler/ImplicitTagLibraryInfo.java
@@ -255,7 +255,9 @@ private void parseImplicitTld(JspCompilationContext ctxt, String path)
             tld = new ParserUtils().parseXMLDocument(IMPLICIT_TLD, is);
             */
             // START SJSAS 6384538
-            tld = new ParserUtils().parseXMLDocument(
+            boolean blockExternal = Boolean.parseBoolean(ctxt.getServletContext()
+                   .getInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM));
+            tld = new ParserUtils(blockExternal).parseXMLDocument(
                 IMPLICIT_TLD, is, ctxt.getOptions().isValidationEnabled());
             // END SJSAS 6384538
         } catch (Exception ex) {
diff --git a/impl/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java b/impl/src/main/java/org/apache/jasper/compiler/JspDocumentParser.java
@@ -69,6 +69,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.jar.JarFile;
+import java.security.AccessController;
 
 import javax.servlet.jsp.tagext.TagFileInfo;
 import javax.servlet.jsp.tagext.TagInfo;
@@ -77,6 +78,9 @@
 import javax.xml.parsers.SAXParserFactory;
 
 import org.apache.jasper.JasperException;
+import org.apache.jasper.Constants;
+import org.apache.jasper.security.PrivilegedGetTccl;
+import org.apache.jasper.security.PrivilegedSetTccl;
 import org.apache.jasper.JspCompilationContext;
 import org.xml.sax.Attributes;
 import org.xml.sax.InputSource;
@@ -1456,24 +1460,49 @@ private static SAXParser getSAXParser(
         JspDocumentParser jspDocParser)
         throws Exception {
 
-        SAXParserFactory factory = SAXParserFactory.newInstance();
-        factory.setNamespaceAware(true);
-
-        // Preserve xmlns attributes
-        factory.setFeature(
-            "http://xml.org/sax/features/namespace-prefixes",
-            true);
-        factory.setFeature(
-            "http://xml.org/sax/features/validation",
-            validating);
-
-        // Configure the parser
-        SAXParser saxParser = factory.newSAXParser();
-        XMLReader xmlReader = saxParser.getXMLReader();
-        xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
-        xmlReader.setErrorHandler(jspDocParser);
+        ClassLoader original;
+        if (Constants.IS_SECURITY_ENABLED) {
+            PrivilegedGetTccl pa = new PrivilegedGetTccl();
+            original = AccessController.doPrivileged(pa);
+        } else {
+            original = Thread.currentThread().getContextClassLoader();
+        }
+        try {
+            if (Constants.IS_SECURITY_ENABLED) {
+                PrivilegedSetTccl pa =
+                        new PrivilegedSetTccl(JspDocumentParser.class.getClassLoader());
+                AccessController.doPrivileged(pa);
+            } else {
+                Thread.currentThread().setContextClassLoader(
+                        JspDocumentParser.class.getClassLoader());
+            }
 
-        return saxParser;
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setNamespaceAware(true);
+
+            // Preserve xmlns attributes
+            factory.setFeature(
+                "http://xml.org/sax/features/namespace-prefixes",
+                true);
+            factory.setFeature(
+                "http://xml.org/sax/features/validation",
+                validating);
+
+            // Configure the parser
+            SAXParser saxParser = factory.newSAXParser();
+            XMLReader xmlReader = saxParser.getXMLReader();
+            xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser);
+            xmlReader.setErrorHandler(jspDocParser);
+
+            return saxParser;
+        } finally {
+            if (Constants.IS_SECURITY_ENABLED) {
+                PrivilegedSetTccl pa = new PrivilegedSetTccl(original);
+                AccessController.doPrivileged(pa);
+            } else {
+                Thread.currentThread().setContextClassLoader(original);
+            }
+        }
     }
 
     /*
diff --git a/impl/src/main/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java b/impl/src/main/java/org/apache/jasper/compiler/TagLibraryInfoImpl.java
@@ -336,8 +336,11 @@ private void parseTLD(JspCompilationContext ctxt,
             new HashMap<String, FunctionInfo>();
 
         // Create an iterator over the child elements of our <taglib> element
-        ParserUtils pu = new ParserUtils();
-        TreeNode tld = pu.parseXMLDocument(uri, in);
+        boolean blockExternal = Boolean.parseBoolean(ctxt.getServletContext()
+                   .getInitParameter(Constants.XML_BLOCK_EXTERNAL_INIT_PARAM));
+        ParserUtils pu = new ParserUtils(blockExternal);
+        TreeNode tld = pu.parseXMLDocument(uri, in,
+                            ctxt.getOptions().isValidationEnabled());
 
 	// Check to see if the <taglib> root element contains a 'version'
 	// attribute, which was added in JSP 2.0 to replace the <jsp-version>
diff --git a/impl/src/main/java/org/apache/jasper/compiler/TagPluginManager.java b/impl/src/main/java/org/apache/jasper/compiler/TagPluginManager.java
@@ -62,6 +62,7 @@
 import java.io.*;
 import javax.servlet.ServletContext;
 
+import org.apache.jasper.Constants;
 import org.apache.jasper.JasperException;
 import org.apache.jasper.xmlparser.ParserUtils;
 import org.apache.jasper.xmlparser.TreeNode;
@@ -115,7 +116,9 @@ private void init(ErrorDispatcher err) throws JasperException {
 	if (is == null)
 	    return;
 
-	TreeNode root = (new ParserUtils()).parseXMLDocument(TAG_PLUGINS_XML,
+        boolean blockExternal = Boolean.parseBoolean(ctxt.getInitParameter(
+                                    Constants.XML_BLOCK_EXTERNAL_INIT_PARAM));
+	TreeNode root = (new ParserUtils(blockExternal)).parseXMLDocument(TAG_PLUGINS_XML,
 							     is);
 	if (root == null) {
 	    return;
diff --git a/impl/src/main/java/org/apache/jasper/runtime/TldScanner.java b/impl/src/main/java/org/apache/jasper/runtime/TldScanner.java
@@ -186,6 +186,7 @@ public class TldScanner implements ServletContainerInitializer {
     private boolean useMyFaces = false;
     private boolean scanListeners;  // true if scan tlds for listeners
     private boolean doneScanning;   // true if all tld scanning done
+    private boolean blockExternal;  // Don't allow external entities
 
 
     //*********************************************************************
@@ -218,6 +219,8 @@ public TldScanner(ServletContext ctxt, boolean isValidationEnabled) {
         if (b != null) {
             useMyFaces = b.booleanValue();
         }
+        blockExternal = Boolean.parseBoolean(ctxt.getInitParameter(
+                            Constants.XML_BLOCK_EXTERNAL_INIT_PARAM));
     }
 
 
@@ -597,7 +600,7 @@ private TldInfo scanTld(String resourcePath, String entryName,
                 throws JasperException {
         try {
             // Parse the tag library descriptor at the specified resource path
-            TreeNode tld = new ParserUtils().parseXMLDocument(
+            TreeNode tld = new ParserUtils(blockExternal).parseXMLDocument(
                                 resourcePath, stream, isValidationEnabled);
 
             String uri = null;
diff --git a/impl/src/main/java/org/apache/jasper/security/PrivilegedGetTccl.java b/impl/src/main/java/org/apache/jasper/security/PrivilegedGetTccl.java
@@ -0,0 +1,71 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ *
+ *
+ * This file incorporates work covered by the following copyright and
+ * permission notice:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jasper.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
+    @Override
+    public ClassLoader run() {
+        return Thread.currentThread().getContextClassLoader();
+    }
+}
+
+
diff --git a/impl/src/main/java/org/apache/jasper/security/PrivilegedSetTccl.java b/impl/src/main/java/org/apache/jasper/security/PrivilegedSetTccl.java
@@ -0,0 +1,77 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ *
+ *
+ * This file incorporates work covered by the following copyright and
+ * permission notice:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jasper.security;
+
+import java.security.PrivilegedAction;
+
+public class PrivilegedSetTccl implements PrivilegedAction<Void> {
+
+    private ClassLoader cl;
+
+    public PrivilegedSetTccl(ClassLoader cl) {
+        this.cl = cl;
+    }
+
+    @Override
+    public Void run() {
+        Thread.currentThread().setContextClassLoader(cl);
+        return null;
+    }
+}
diff --git a/impl/src/main/java/org/apache/jasper/xmlparser/ParserUtils.java b/impl/src/main/java/org/apache/jasper/xmlparser/ParserUtils.java
