SLFO-pool/velocity
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ebef1f4292
velocity/velocity-1.7-CVE-2020-13936.patch

59 lines
2.3 KiB
Diff
Raw Blame History

--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,15 +245,15 @@
# accessed.
# ----------------------------------------------------------------------------
+# Prohibit reflection
introspector.restrict.packages = java.lang.reflect
-# The two most dangerous classes
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
-introspector.restrict.classes = java.lang.Class
-introspector.restrict.classes = java.lang.ClassLoader
-
-# Restrict these for extra safety
+# Restrict these system classes. Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
+introspector.restrict.classes = java.lang.Class
introspector.restrict.classes = java.lang.Compiler
introspector.restrict.classes = java.lang.InheritableThreadLocal
introspector.restrict.classes = java.lang.Package
@@ -262,8 +262,15 @@
introspector.restrict.classes = java.lang.RuntimePermission
introspector.restrict.classes = java.lang.SecurityManager
introspector.restrict.classes = java.lang.System
-introspector.restrict.classes = java.lang.Thread
introspector.restrict.classes = java.lang.ThreadGroup
introspector.restrict.classes = java.lang.ThreadLocal
+# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
+
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
+
+
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
@@ -122,6 +122,15 @@
}
/**
+ * Always disallow ClassLoader, Thread and subclasses
+ */
+ if (ClassLoader.class.isAssignableFrom(clazz) ||
+ Thread.class.isAssignableFrom(clazz))
+ {
+ return false;
+ }
+
+ /**
* check the classname (minus any array info)
* whether it matches disallowed classes or packages
*/
Reference in New Issue View Git Blame Copy Permalink