Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-7842

MarkupTemplateEngine totally broken when used with a Security Manager

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4.5, 2.4.6
    • Fix Version/s: 2.4.8
    • Component/s: Templating
    • Labels:
      None
    • Flags:
      Important

      Description

      TemplateServlet.java
      TemplateServer.createAndStoreTemplate(String key, InputStream inputStream, File file)
      // ...
          Template template = engine.createTemplate(reader);
      
      MarkupTemplateEngine.java
          public Template createTemplate(final Reader reader) throws CompilationFailedException, ClassNotFoundException, IOException {
              return new MarkupTemplateMaker(reader, null, null);
          }
      

      Calls MarkupTemplateEngine.MarkupTemplateMaker

      MarkupTemplateEngine.java
              public MarkupTemplateMaker(final Reader reader, String sourceName, Map<String, String> modelTypes) {
                  String name = sourceName != null ? sourceName : "GeneratedMarkupTemplate" + counter.getAndIncrement();
                  templateClass = groovyClassLoader.parseClass(new GroovyCodeSource(reader, name, ""), modelTypes);
                  this.modeltypes = modelTypes;
              }
      

      Note: GroovyCodeSource(reader, name, "")

      GroovyCodeSource.java
          public GroovyCodeSource(Reader reader, String name, String codeBase) {
              this.name = name;
              this.codeSource = createCodeSource(codeBase);
      

      Note: createCodeSource(codeBase); -> createCodeSource("");

      GroovyCodeSource.java
          private static CodeSource createCodeSource(final String codeBase) {
              SecurityManager sm = System.getSecurityManager();
              if (sm != null) {
                  sm.checkPermission(new GroovyCodeSourcePermission(codeBase));
              }
      

      Note: GroovyCodeSourcePermission(codeBase) -> GroovyCodeSourcePermission("")

      GroovyCodeSourcePermission.java
      public final class GroovyCodeSourcePermission extends BasicPermission {
      
          public GroovyCodeSourcePermission(String name) {
              super(name);
          }
      
          public BasicPermission(String name)
          {
              super(name);
              init(name);
          }
      
          /**
           * initialize a BasicPermission object. Common to all constructors.
           *
           */
          private void init(String name)
          {
              if (name == null)
                  throw new NullPointerException("name can't be null");
      
              int len = name.length();
      
              if (len == 0) {
                  throw new IllegalArgumentException("name can't be empty");
              }
      

      BOOM -> IllegalArgumentException

      In summary: MarkupTemplateMaker creates a GroovyCodeSource where codeBase is equal to "". BasicPermission does not allow names to have zero length thus causing an exception.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jwagenleitner John Wagenleitner
                Reporter:
                alwaysvip Scott Murphy
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: