[GROOVY-7842] MarkupTemplateEngine totally broken when used with a Security Manager - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.5, 2.4.6
Fix Version/s: 2.4.8
Component/s: Templating
Labels:
None

Flags:

Important

Description

TemplateServlet.java

TemplateServer.createAndStoreTemplate(String key, InputStream inputStream, File file)
// ...
    Template template = engine.createTemplate(reader);

MarkupTemplateEngine.java

    public Template createTemplate(final Reader reader) throws CompilationFailedException, ClassNotFoundException, IOException {
        return new MarkupTemplateMaker(reader, null, null);
    }

Calls MarkupTemplateEngine.MarkupTemplateMaker

MarkupTemplateEngine.java

        public MarkupTemplateMaker(final Reader reader, String sourceName, Map<String, String> modelTypes) {
            String name = sourceName != null ? sourceName : "GeneratedMarkupTemplate" + counter.getAndIncrement();
            templateClass = groovyClassLoader.parseClass(new GroovyCodeSource(reader, name, ""), modelTypes);
            this.modeltypes = modelTypes;
        }

Note: GroovyCodeSource(reader, name, "")

GroovyCodeSource.java

    public GroovyCodeSource(Reader reader, String name, String codeBase) {
        this.name = name;
        this.codeSource = createCodeSource(codeBase);

Note: createCodeSource(codeBase); -> createCodeSource("");

GroovyCodeSource.java

    private static CodeSource createCodeSource(final String codeBase) {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(new GroovyCodeSourcePermission(codeBase));
        }

Note: GroovyCodeSourcePermission(codeBase) -> GroovyCodeSourcePermission("")

GroovyCodeSourcePermission.java

public final class GroovyCodeSourcePermission extends BasicPermission {

    public GroovyCodeSourcePermission(String name) {
        super(name);
    }

    public BasicPermission(String name)
    {
        super(name);
        init(name);
    }

    /**
     * initialize a BasicPermission object. Common to all constructors.
     *
     */
    private void init(String name)
    {
        if (name == null)
            throw new NullPointerException("name can't be null");

        int len = name.length();

        if (len == 0) {
            throw new IllegalArgumentException("name can't be empty");
        }

BOOM -> IllegalArgumentException

In summary: MarkupTemplateMaker creates a GroovyCodeSource where codeBase is equal to "". BasicPermission does not allow names to have zero length thus causing an exception.

Attachments

Issue Links

links to

GitHub Pull Request #358

Activity

People

Assignee:: John Wagenleitner

Reporter:: Scott Murphy

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 21/May/16 04:07

Updated:: 01/Feb/17 23:19

Resolved:: 30/Jun/16 16:36