From 45b1f5a3f76b8a2488a3abc3718c0d08a20192ef84cbc2ee0bc65859eb0614e3 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Thu, 7 Apr 2022 17:49:31 +0000
Subject: [PATCH] Accepting request 967485 from
 home:mbussolotto:branches:Java:packages

- Security hardening. Deprecate getResources() and always return null. (bsc#1198136)
- Added patch: tomcat-9.0-hardening_getResources.patch

OBS-URL: https://build.opensuse.org/request/show/967485
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=236
---
 tomcat-9.0-hardening_getResources.patch | 51 +++++++++++++++++++++++++
 tomcat.changes                          |  6 +++
 tomcat.spec                             |  2 +
 3 files changed, 59 insertions(+)
 create mode 100644 tomcat-9.0-hardening_getResources.patch

diff --git a/tomcat-9.0-hardening_getResources.patch b/tomcat-9.0-hardening_getResources.patch
new file mode 100644
index 0000000..325fa0b
--- /dev/null
+++ b/tomcat-9.0-hardening_getResources.patch
@@ -0,0 +1,51 @@
+From 8a904f6065080409a1e00606cd7bceec6ad8918c Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Wed, 30 Mar 2022 20:22:49 +0100
+Subject: [PATCH] Security hardening. Deprecate getResources() and always
+ return null.
+
+This method is never used by Tomcat. If something accidently exposes the
+class loader then this method can be used to gain access to Tomcat
+internals.
+---
+ .../apache/catalina/loader/WebappClassLoaderBase.java  |  7 ++++++-
+ webapps/docs/changelog.xml                             | 10 ++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/loader/WebappClassLoaderBase.java
++++ apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+@@ -425,10 +425,15 @@ public abstract class WebappClassLoaderB
+     // ------------------------------------------------------------- Properties
+ 
+     /**
++     * Unused. Always returns {@code null}.
++     *
+      * @return associated resources.
++     *
++     * @deprecated This will be removed in Tomcat 10.1.x onwards
+      */
++    @Deprecated
+     public WebResourceRoot getResources() {
+-        return this.resources;
++        return null;
+     }
+ 
+ 
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -106,6 +106,12 @@
+ <section name="Tomcat 9.0.43 (markt)">
+   <subsection name="Catalina">
+     <changelog>
++      <add>
++         Effectively disable the
++         <code>WebappClassLoaderBase.getResources()</code> method as it is not
++         used and if something accidently exposes the class loader this method
++         can be used to gain access to Tomcat internals. (markt)
++      </add>
+       <fix>
+         <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
+         is given. (fschumacher)
diff --git a/tomcat.changes b/tomcat.changes
index ff0c9b6..28a15c8 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Apr  7 08:48:46 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Security hardening. Deprecate getResources() and always return null. (bsc#1198136)
+- Added patch: tomcat-9.0-hardening_getResources.patch
+
 -------------------------------------------------------------------
 Wed Feb 23 11:57:30 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/tomcat.spec b/tomcat.spec
index e959933..4103223 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -87,6 +87,7 @@ Patch8:         tomcat-9.0-CVE-2021-33037.patch
 Patch9:         tomcat-9.0-CVE-2021-30640.patch
 Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:        tomcat-9.0-CVE-2022-23181.patch
+Patch12:        tomcat-9.0-hardening_getResources.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -264,6 +265,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl