[FELIX-4652] Security problem with AbstractWebConsolePlugin.spoolResource - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: webconsole-4.2.2
Fix Version/s: webconsole-4.2.4
Component/s: Web Console
Labels:
None

Description

In AbstractWebConsolePlugin.spoolResource() reflection is used to find the method that will actually provide the resource. However, using reflection will require that the web console plugin to have the following permissions:
(java.lang.RuntimePermission "getClassLoader")
(java.lang.RuntimePermission "accessDeclaredMembers")
(java.lang.reflect.ReflectPermission "suppressAccessChecks")

This is due to some internals of the AbstractWebConsole, which actually should be run in a privileged block.

Attachments

Activity

People

Assignee:: Valentin Valchev

Reporter:: Valentin Valchev

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 25/Sep/14 08:12

Updated:: 16/Mar/15 08:17

Resolved:: 25/Sep/14 08:14