Ignore some JSP options when running under a SecurityManager

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1758487 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 30, 2016 · f603f2f · f603f2f
1 parent e230535
commit f603f2f
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 4 deletions.
diff --git a/conf/web.xml b/conf/web.xml
@@ -163,6 +163,8 @@
   <!--   engineOptionsClass  Allows specifying the Options class used to    -->
   <!--                       configure Jasper. If not present, the default  -->
   <!--                       EmbeddedServletOptions will be used.           -->
+  <!--                       This option is ignored when running under a    -->
+  <!--                       SecurityManager.                               -->
   <!--                                                                      -->
   <!--   errorOnUseBeanInvalidClassAttribute                                -->
   <!--                       Should Jasper issue an error when the value of -->
@@ -224,6 +226,8 @@
   <!--   scratchdir          What scratch directory should we use when      -->
   <!--                       compiling JSP pages?  [default work directory  -->
   <!--                       for the current web application]               -->
+  <!--                       This option is ignored when running under a    -->
+  <!--                       SecurityManager.                               -->
   <!--                                                                      -->
   <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
   <!--                       debugging be suppressed?  [false]              -->

diff --git a/java/org/apache/jasper/EmbeddedServletOptions.java b/java/org/apache/jasper/EmbeddedServletOptions.java
@@ -660,6 +660,10 @@ public EmbeddedServletOptions(ServletConfig config, ServletContext context) {
          * scratchdir
          */
         String dir = config.getInitParameter("scratchdir");
+        if (dir != null && Constants.IS_SECURITY_ENABLED) {
+            log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
+            dir = null;
+        }
         if (dir != null) {
             scratchDir = new File(dir);
         } else {

diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties
@@ -355,6 +355,7 @@ jsp.error.unbalanced.endtag=The end tag \"&lt;/{0}\" is unbalanced
 jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
 jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
 jsp.error.lastModified=Unable to determine last modified date for file [{0}]
+jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
 
 jsp.exception=An exception occurred processing JSP page {0} at line {1}
 

diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java
@@ -71,8 +71,8 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener {
     private ServletConfig config;
     private transient Options options;
     private transient JspRuntimeContext rctxt;
-    //jspFile for a jsp configured explicitly as a servlet, in environments where this configuration is
-    //translated into an init-param for this servlet.
+    // jspFile for a jsp configured explicitly as a servlet, in environments where this
+    // configuration is translated into an init-param for this servlet.
     private String jspFile;
 
 
@@ -89,6 +89,11 @@ public void init(ServletConfig config) throws ServletException {
         // Initialize the JSP Runtime Context
         // Check for a custom Options implementation
         String engineOptionsName = config.getInitParameter("engineOptionsClass");
+        if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
+            log.info(Localizer.getMessage(
+                    "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
+            engineOptionsName = null;
+        }
         if (engineOptionsName != null) {
             // Instantiate the indicated Options implementation
             try {

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -264,6 +264,10 @@
         <bug>60032</bug>: Fix handling of method calls that use varargs within
         EL value expressions. (markt)
       </fix>
+      <fix>
+        Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when
+        running under a security manager. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">

diff --git a/webapps/docs/jasper-howto.xml b/webapps/docs/jasper-howto.xml
@@ -132,7 +132,7 @@ default <code>true</code>.
 
 <li><strong>engineOptionsClass</strong> - Allows specifying the Options class
 used to configure Jasper. If not present, the default EmbeddedServletOptions
-will be used.
+will be used. This option is ignored if running under a SecurityManager.
 </li>
 
 <li><strong>errorOnUseBeanInvalidClassAttribute</strong> - Should Jasper issue
@@ -185,7 +185,7 @@ may be expensive and could lead to excessive resource usage.</li>
 
 <li><strong>scratchdir</strong> - What scratch directory should we use when
 compiling JSP pages? Default is the work directory for the current web
-application.</li>
+application. This option is ignored if running under a SecurityManager.</li>
 
 <li><strong>suppressSmap</strong> - Should the generation of SMAP info for JSR45
 debugging be suppressed? <code>true</code> or <code>false</code>, default