Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-4652

Security problem with AbstractWebConsolePlugin.spoolResource

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • webconsole-4.2.2
    • webconsole-4.2.4
    • Web Console
    • None

    Description

      In AbstractWebConsolePlugin.spoolResource() reflection is used to find the method that will actually provide the resource. However, using reflection will require that the web console plugin to have the following permissions:
      (java.lang.RuntimePermission "getClassLoader")
      (java.lang.RuntimePermission "accessDeclaredMembers")
      (java.lang.reflect.ReflectPermission "suppressAccessChecks")

      This is due to some internals of the AbstractWebConsole, which actually should be run in a privileged block.

      Attachments

        Activity

          Fixed in SVN rev.1627478

          v_valchev Valentin Valchev added a comment - Fixed in SVN rev.1627478

          People

            v_valchev Valentin Valchev
            v_valchev Valentin Valchev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: