Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-4652

Security problem with AbstractWebConsolePlugin.spoolResource

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: webconsole-4.2.2
    • Fix Version/s: webconsole-4.2.4
    • Component/s: Web Console
    • Labels:
      None

      Description

      In AbstractWebConsolePlugin.spoolResource() reflection is used to find the method that will actually provide the resource. However, using reflection will require that the web console plugin to have the following permissions:
      (java.lang.RuntimePermission "getClassLoader")
      (java.lang.RuntimePermission "accessDeclaredMembers")
      (java.lang.reflect.ReflectPermission "suppressAccessChecks")

      This is due to some internals of the AbstractWebConsole, which actually should be run in a privileged block.

        Attachments

          Activity

            People

            • Assignee:
              v_valchev Valentin Valchev
              Reporter:
              v_valchev Valentin Valchev
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: