61 lines
2.6 KiB
Diff
61 lines
2.6 KiB
Diff
From 3539136e0e1805164fb0a0c75248dd51e8a5672a Mon Sep 17 00:00:00 2001
|
|
From: Will Glass-Husain <wglass@forio.com>
|
|
Date: Thu, 16 Jul 2020 22:09:42 -0700
|
|
Subject: [PATCH] disallow ClassLoader, Thread, and subclasses.
|
|
|
|
---
|
|
.../apache/velocity/runtime/defaults/velocity.properties | 7 +------
|
|
.../util/introspection/SecureIntrospectorImpl.java | 9 +++++++++
|
|
2 files changed, 10 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
|
|
index 7fac119..504cbcc 100644
|
|
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
|
|
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
|
|
@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
|
|
|
|
introspector.restrict.packages = java.lang.reflect
|
|
|
|
-# The two most dangerous classes
|
|
+## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
|
|
|
|
introspector.restrict.classes = java.lang.Class
|
|
-introspector.restrict.classes = java.lang.ClassLoader
|
|
-
|
|
-# Restrict these for extra safety
|
|
-
|
|
introspector.restrict.classes = java.lang.Compiler
|
|
introspector.restrict.classes = java.lang.InheritableThreadLocal
|
|
introspector.restrict.classes = java.lang.Package
|
|
@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime
|
|
introspector.restrict.classes = java.lang.RuntimePermission
|
|
introspector.restrict.classes = java.lang.SecurityManager
|
|
introspector.restrict.classes = java.lang.System
|
|
-introspector.restrict.classes = java.lang.Thread
|
|
introspector.restrict.classes = java.lang.ThreadGroup
|
|
introspector.restrict.classes = java.lang.ThreadLocal
|
|
|
|
diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
|
|
index f317b1c..6907c69 100644
|
|
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
|
|
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
|
|
@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
|
|
return true;
|
|
}
|
|
|
|
+ /**
|
|
+ * Always disallow ClassLoader, Thread and subclasses
|
|
+ */
|
|
+ if (ClassLoader.class.isAssignableFrom(clazz) ||
|
|
+ Thread.class.isAssignableFrom(clazz))
|
|
+ {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
/**
|
|
* check the classname (minus any array info)
|
|
* whether it matches disallowed classes or packages
|
|
--
|
|
2.23.0
|
|
|