rpms/velocity
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix for CVE-2020-13936

Browse Source
This commit is contained in:
Marian Koncek 2021-03-11 17:03:02 +01:00
parent 07a7640f65
commit a22a8f84a4
2 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
0003-CVE-2020-13936.patch Normal file
View File

@ -0,0 +1,77 @@
From 3be84770e7fbe6f000f0c002905e86fe1412d551 Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Thu, 11 Mar 2021 16:22:50 +0100
Subject: [PATCH] CVE-2020-13936
From upstream patches:
https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4
https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e
---
.../velocity/runtime/defaults/velocity.properties | 15 ++++++++++-----
.../introspection/SecureIntrospectorImpl.java | 9 +++++++++
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index 855118b..a8a9231 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,15 +245,16 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
# accessed.
# ----------------------------------------------------------------------------
+# Prohibit reflection
introspector.restrict.packages = java.lang.reflect
# The two most dangerous classes
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
-introspector.restrict.classes = java.lang.Class
-introspector.restrict.classes = java.lang.ClassLoader
-
-# Restrict these for extra safety
+# Restrict these system classes. Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
+introspector.restrict.classes = java.lang.Class
introspector.restrict.classes = java.lang.Compiler
introspector.restrict.classes = java.lang.InheritableThreadLocal
introspector.restrict.classes = java.lang.Package
@@ -262,8 +263,12 @@ introspector.restrict.classes = java.lang.Runtime
introspector.restrict.classes = java.lang.RuntimePermission
introspector.restrict.classes = java.lang.SecurityManager
introspector.restrict.classes = java.lang.System
-introspector.restrict.classes = java.lang.Thread
introspector.restrict.classes = java.lang.ThreadGroup
introspector.restrict.classes = java.lang.ThreadLocal
+# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
index f317b1c..25fc84d 100644
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
return true;
}
+ /**
+ * Always disallow ClassLoader, Thread and subclasses
+ */
+ if (ClassLoader.class.isAssignableFrom(clazz) ||
+ Thread.class.isAssignableFrom(clazz))
+ {
+ return false;
+ }
+
/**
* check the classname (minus any array info)
* whether it matches disallowed classes or packages
--
2.29.2

2
velocity.spec
View File

@ -14,6 +14,7 @@ Source2: generate-tarball.sh
Patch1: 0001-Port-to-apache-commons-lang3.patch
Patch2: 0002-Force-use-of-JDK-log-chute.patch
Patch3: 0003-CVE-2020-13936.patch
BuildRequires: maven-local
BuildRequires: mvn(commons-collections:commons-collections)
@ -52,6 +53,7 @@ Javadoc for %{name}.
cp %{SOURCE1} ./pom.xml
%patch1 -p1
%patch2 -p1
%patch3 -p1
find . -name '*.jar' ! -name 'test*.jar' -print -delete
find . -name '*.class' ! -name 'Foo.class' -print -delete