Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-3992

Classloader access outside of a privileged block

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: framework-4.2.0
    • Fix Version/s: framework-4.4.0
    • Component/s: Framework
    • Labels:

      Description

      In method org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class), there is an access to the registered ServiceFactory classloader (lines 163:169 in v4.2.1):

      if ((m_factory != null)
      && (m_factory.getClass().getClassLoader() instanceof BundleReference)
      && !((BundleReference) m_factory.getClass()
      .getClassLoader()).getBundle().equals(m_bundle))

      { return true; }

      If a bundle registers a service through a ServiceFactory and if there is an active ServiceListener matching this service, those lines are executed inside the registering bundle's protection domain.

      If this bundle does not have the (java.util.RuntimePermission 'getClassloader') privilege, the getClassLoader invocation throws a SecurityException and the listener is always called because the exception is catched at line 526 (isAssignableTo) of the same class.
      The comment inside the catch block does not seem to justify this case.

      I think a simple privileged block around the bundle comparison is harmless and should fix this. It could be something like :
      if (m_factory != null)
      {
      Bundle bundle = null;
      if (System.getSecurityManager() == null)
      {
      if ((m_factory.getClass().getClassLoader() instanceof BundleReference)

      { bundle = ((BundleReference) m_factory.getClass().getClassLoader()).getBundle(); }

      }
      else
      {
      bundle = AccessController.doPrivileged(new PrivilegedAction<Bundle>() {
      public Bundle run() {
      if ((m_factory.getClass().getClassLoader() instanceof BundleReference)

      { return ((BundleReference) m_factory.getClass().getClassLoader()).getBundle(); }


      return null;
      }
      });
      }

      if (bundle != null && bundle.equals(m_bundle))

      { return true; }

      }

        Attachments

          Activity

            People

            • Assignee:
              karlpauls Karl Pauls
              Reporter:
              romain.dubois Romain Dubois
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: