From 3be84770e7fbe6f000f0c002905e86fe1412d551 Mon Sep 17 00:00:00 2001
From: Marian Koncek <mkoncek@redhat.com>
Date: Thu, 11 Mar 2021 16:22:50 +0100
Subject: [PATCH] CVE-2020-13936

From upstream patches:
https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4
https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e

---
 .../velocity/runtime/defaults/velocity.properties | 15 ++++++++++-----
 .../introspection/SecureIntrospectorImpl.java     |  9 +++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index 855118b..a8a9231 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,15 +245,16 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
 # accessed.
 # ----------------------------------------------------------------------------
 
+# Prohibit reflection
 introspector.restrict.packages = java.lang.reflect
 
 # The two most dangerous classes
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
 
-introspector.restrict.classes = java.lang.Class
-introspector.restrict.classes = java.lang.ClassLoader
-                
-# Restrict these for extra safety
+# Restrict these system classes.  Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
 
+introspector.restrict.classes = java.lang.Class
 introspector.restrict.classes = java.lang.Compiler
 introspector.restrict.classes = java.lang.InheritableThreadLocal
 introspector.restrict.classes = java.lang.Package
@@ -262,8 +263,12 @@ introspector.restrict.classes = java.lang.Runtime
 introspector.restrict.classes = java.lang.RuntimePermission
 introspector.restrict.classes = java.lang.SecurityManager
 introspector.restrict.classes = java.lang.System
-introspector.restrict.classes = java.lang.Thread
 introspector.restrict.classes = java.lang.ThreadGroup
 introspector.restrict.classes = java.lang.ThreadLocal
 
+# Restrict instance managers for common servlet containers  (Tomcat, JBoss, Jetty)
 
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
index f317b1c..25fc84d 100644
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
             return true;
         }
 
+       /**
+       * Always disallow ClassLoader, Thread and subclasses
+       */
+        if (ClassLoader.class.isAssignableFrom(clazz) ||
+                Thread.class.isAssignableFrom(clazz))
+        {
+            return false;
+        }
+
         /**
          * check the classname (minus any array info)
          * whether it matches disallowed classes or packages
-- 
2.29.2