diff options
author | Will Glass-Husain <wglass@forio.com> | 2020-07-16 22:09:42 -0700 |
---|---|---|
committer | Will Glass-Husain <wglass@forio.com> | 2020-07-16 22:09:42 -0700 |
commit | 1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 (patch) | |
tree | 7a9d94e038afdfca89220b5cf9db2ac05e698e1a /velocity-engine-core | |
parent | ad9109b40ca20d48955003dc8b0e5b669901ba7b (diff) | |
download | apache-velocity-engine-1ba60771d23dae7e6b3138ae6bee09cf6f9d2485.tar.gz |
disallow ClassLoader, Thread, and subclasses.
Diffstat (limited to 'velocity-engine-core')
-rw-r--r-- | velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java | 9 | ||||
-rw-r--r-- | velocity-engine-core/src/test/resources/oldproperties/velocity.properties | 7 |
2 files changed, 10 insertions, 6 deletions
diff --git a/velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java index acc35636..65aa04cf 100644 --- a/velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +++ b/velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java @@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros return true; } + /** + * Always disallow ClassLoader, Thread and subclasses + */ + if (ClassLoader.class.isAssignableFrom(clazz) || + Thread.class.isAssignableFrom(clazz)) + { + return false; + } + /** * check the classname (minus any array info) * whether it matches disallowed classes or packages diff --git a/velocity-engine-core/src/test/resources/oldproperties/velocity.properties b/velocity-engine-core/src/test/resources/oldproperties/velocity.properties index b3b61a6e..65f8f561 100644 --- a/velocity-engine-core/src/test/resources/oldproperties/velocity.properties +++ b/velocity-engine-core/src/test/resources/oldproperties/velocity.properties @@ -222,13 +222,9 @@ runtime.conversion.handler.class = org.apache.velocity.util.introspection.TypeCo introspector.restrict.packages = java.lang.reflect -# The two most dangerous classes +## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl introspector.restrict.classes = java.lang.Class -introspector.restrict.classes = java.lang.ClassLoader - -# Restrict these for extra safety - introspector.restrict.classes = java.lang.Compiler introspector.restrict.classes = java.lang.InheritableThreadLocal introspector.restrict.classes = java.lang.Package @@ -237,7 +233,6 @@ introspector.restrict.classes = java.lang.Runtime introspector.restrict.classes = java.lang.RuntimePermission introspector.restrict.classes = java.lang.SecurityManager introspector.restrict.classes = java.lang.System -introspector.restrict.classes = java.lang.Thread introspector.restrict.classes = java.lang.ThreadGroup introspector.restrict.classes = java.lang.ThreadLocal |