[FELIX-6467] `AllPermission` not checked when updating `ConditionalPermissionAdmin` - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: framework.security-2.8.1
Fix Version/s: framework-7.0.3, framework.security-2.8.3
Component/s: Conditional Permission Admin
Labels:
None

Description

`ConditionalPermissionUpdate.commit()` should check whether the caller has `AllPermission` before committing the updated permissions. The Javadocs state:

"Throws:

SecurityException – If the caller does not have AllPermission.

IllegalStateException – If this update's Conditional Permissions are not valid or inconsistent. For example, this update has two Conditional Permissions in it with the same name"

This check is not performed (it is performed in the deprecated `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()` methods).

As a result, there is no way to prevent arbitrary code that can access the `ConditionalPermissionAdmin` from modifying the permissions at will.

Attachments

Issue Links

links to

GitHub Pull Request #113

Activity

People

Assignee:: Karl Pauls

Reporter:: Joel Dudley

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 26/Oct/21 11:18

Updated:: 06/Dec/21 22:33

Resolved:: 03/Nov/21 14:05