[BVAL-92] Security holes in org.apache.bval.util.PrivilegedActions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.2-incubating, 0.3-incubating, 0.4
Fix Version/s: 0.4
Component/s: None
Labels:
None

Description

PrivilegedActions is public. It offers several method, e.g. getClassLoader() which are executed surrounded by privileged actions. Thus any caller can get e.g. a classloader, even if the caller has not the required permissions.

PrivilegedActions should offer only factory methods creating the privileged actions. Then the callers should call AccessController.doPrivileged() for themselves, such that the actions will be executed in the caller's security domain, instead of the domain of the BeanValidation API.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

apache-bval-20110327231539-jw.diff
27/Mar/11 21:19
54 kB
Jörg Waßmer
apache-bval-20110327092101-jw.diff
27/Mar/11 07:25
57 kB
Jörg Waßmer

Activity

People

Assignee:: Roman Stumm

Reporter:: Jörg Waßmer

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 08/Mar/11 00:24

Updated:: 13/Apr/12 17:43

Resolved:: 25/Aug/11 17:20