packages/velocity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-13936

Browse Source
This commit is contained in:
wang_yue111 2021-04-23 15:45:52 +08:00
parent 4a483c57f6
commit 269fd925cc
4 changed files with 135 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
CVE-2020-13936-1.patch Normal file
View File

@ -0,0 +1,60 @@
From 3539136e0e1805164fb0a0c75248dd51e8a5672a Mon Sep 17 00:00:00 2001
From: Will Glass-Husain <wglass@forio.com>
Date: Thu, 16 Jul 2020 22:09:42 -0700
Subject: [PATCH] disallow ClassLoader, Thread, and subclasses.
---
.../apache/velocity/runtime/defaults/velocity.properties | 7 +------
.../util/introspection/SecureIntrospectorImpl.java | 9 +++++++++
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index 7fac119..504cbcc 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
introspector.restrict.packages = java.lang.reflect
-# The two most dangerous classes
+## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
introspector.restrict.classes = java.lang.Class
-introspector.restrict.classes = java.lang.ClassLoader
-
-# Restrict these for extra safety
-
introspector.restrict.classes = java.lang.Compiler
introspector.restrict.classes = java.lang.InheritableThreadLocal
introspector.restrict.classes = java.lang.Package
@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime
introspector.restrict.classes = java.lang.RuntimePermission
introspector.restrict.classes = java.lang.SecurityManager
introspector.restrict.classes = java.lang.System
-introspector.restrict.classes = java.lang.Thread
introspector.restrict.classes = java.lang.ThreadGroup
introspector.restrict.classes = java.lang.ThreadLocal
diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
index f317b1c..6907c69 100644
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
return true;
}
+ /**
+ * Always disallow ClassLoader, Thread and subclasses
+ */
+ if (ClassLoader.class.isAssignableFrom(clazz) ||
+ Thread.class.isAssignableFrom(clazz))
+ {
+ return false;
+ }
+
/**
* check the classname (minus any array info)
* whether it matches disallowed classes or packages
--
2.23.0

41
CVE-2020-13936-2.patch Normal file
View File

@ -0,0 +1,41 @@
From cf85e450636afbe0408354ff04a4018659e64955 Mon Sep 17 00:00:00 2001
From: Will Glass-Husain <wglass@forio.com>
Date: Thu, 16 Jul 2020 22:31:22 -0700
Subject: [PATCH] update list of restricted classes
---
.../velocity/runtime/defaults/velocity.properties | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index 504cbcc..fd1063a 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,9 +245,13 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
# accessed.
# ----------------------------------------------------------------------------
+# Prohibit reflection
introspector.restrict.packages = java.lang.reflect
-## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+
+# Restrict these system classes. Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
introspector.restrict.classes = java.lang.Class
introspector.restrict.classes = java.lang.Compiler
@@ -261,4 +265,9 @@ introspector.restrict.classes = java.lang.System
introspector.restrict.classes = java.lang.ThreadGroup
introspector.restrict.classes = java.lang.ThreadLocal
+# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
+
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
--
2.23.0

24
CVE-2020-13936-3.patch Normal file
View File

@ -0,0 +1,24 @@
From aa82d7d8ea65b80b486e1468883f4c352d78fded Mon Sep 17 00:00:00 2001
From: Will Glass-Husain <wglass@forio.com>
Date: Wed, 5 Aug 2020 20:59:36 -0700
Subject: [PATCH] add further tomcat class to restricted list
---
.../org/apache/velocity/runtime/defaults/velocity.properties | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index fd1063a..5516d53 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -268,6 +268,7 @@ introspector.restrict.classes = java.lang.ThreadLocal
# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
--
2.23.0

12
velocity.spec
View File

@ -1,7 +1,7 @@
Name: velocity Name: velocity
Epoch: 0 Epoch: 0
Version: 1.7 Version: 1.7
Release: 25 Release: 26
Summary: Java-based template engine Summary: Java-based template engine
License: ASL 2.0 License: ASL 2.0
URL: http://velocity.apache.org/ URL: http://velocity.apache.org/
@ -19,6 +19,9 @@ Patch0005: 0001-Don-t-use-Werken-XPath.patch
Patch0006: 0006-Skip-Java-8-incompatible-test.patch Patch0006: 0006-Skip-Java-8-incompatible-test.patch
Patch0007: velocity-1.7-doclint.patch Patch0007: velocity-1.7-doclint.patch
Patch0008: velocity-1.7-osgi.patch Patch0008: velocity-1.7-osgi.patch
Patch0009: CVE-2020-13936-1.patch
Patch0010: CVE-2020-13936-2.patch
Patch0011: CVE-2020-13936-3.patch
BuildRequires: javapackages-local ant antlr junit ant-junit BuildRequires: javapackages-local ant antlr junit ant-junit
BuildRequires: apache-commons-collections apache-commons-logging apache-commons-lang BuildRequires: apache-commons-collections apache-commons-logging apache-commons-lang
@ -83,7 +86,9 @@ cp %{SOURCE1} ./pom.xml
%patch0006 -p1 %patch0006 -p1
%patch0007 -p1 %patch0007 -p1
%patch0008 -p1 %patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%build %build
export CLASSPATH=$(build-classpath antlr apache-commons-collections \ export CLASSPATH=$(build-classpath antlr apache-commons-collections \
@ -121,6 +126,9 @@ cp -pr examples test %{buildroot}%{_datadir}/%{name}
%changelog %changelog
* Fri Apr 23 2021 wangyue <wangyue92@huawei.com> - 1.7-26
- Fix CVE-2020-13936
* Wed Dec 04 2019 zoushuangshuang<zoushuangshuang@huawei.com> - 1.7-25 * Wed Dec 04 2019 zoushuangshuang<zoushuangshuang@huawei.com> - 1.7-25
- Package init - Package init