bval-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mben...@apache.org
Subject svn commit: r1310408 - in /bval/trunk: bval-core/src/main/java/org/apache/bval/util/ bval-jsr303/src/main/java/org/apache/bval/jsr303/ bval-jsr303/src/main/java/org/apache/bval/jsr303/util/
Date Fri, 06 Apr 2012 15:47:04 GMT
Author: mbenson
Date: Fri Apr  6 15:47:04 2012
New Revision: 1310408

URL: http://svn.apache.org/viewvc?rev=1310408&view=rev
Log:
plug security holes

Modified:
    bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
    bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
    bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
    bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
    bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
    bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
    bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
    bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java

Modified: bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java (original)
+++ bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java Fri Apr  6 15:47:04
2012
@@ -19,6 +19,7 @@ package org.apache.bval.util;
 import java.lang.annotation.ElementType;
 import java.lang.reflect.Field;
 import java.lang.reflect.Type;
+import java.security.AccessController;
 import java.security.PrivilegedAction;
 
 /**
@@ -34,11 +35,11 @@ public class FieldAccess extends AccessS
      */
     public FieldAccess(final Field field) {
         this.field = field;
-        if(!field.isAccessible()) {
-            PrivilegedActions.run( new PrivilegedAction<Object>() {
-                public Object run() {
+        if (!field.isAccessible()) {
+            run(new PrivilegedAction<Void>() {
+                public Void run() {
                     field.setAccessible(true);
-                    return (Object) null;
+                    return null;
                 }
             });
         }
@@ -101,4 +102,12 @@ public class FieldAccess extends AccessS
     public int hashCode() {
         return field.hashCode();
     }
+
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java (original)
+++ bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java Fri Apr  6 15:47:04
2012
@@ -21,6 +21,7 @@ import java.lang.annotation.ElementType;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.lang.reflect.Type;
+import java.security.AccessController;
 import java.security.PrivilegedAction;
 
 /**
@@ -47,10 +48,10 @@ public class MethodAccess extends Access
         this.method = method;
         this.propertyName = propertyName;
         if (!method.isAccessible()) {
-            PrivilegedActions.run( new PrivilegedAction<Object>() {
-                public Object run() {
+            run( new PrivilegedAction<Void>() {
+                public Void run() {
                     method.setAccessible(true);
-                    return (Object) null;
+                    return null;
                 }
             });
         }
@@ -143,4 +144,12 @@ public class MethodAccess extends Access
     public int hashCode() {
         return method.hashCode();
     }
+
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java (original)
+++ bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java Fri Apr
 6 15:47:04 2012
@@ -77,7 +77,8 @@ public class PrivilegedActions {
      * @param action - the action to run
      * @return result of running the action
      */
-    public static <T> T run(PrivilegedAction<T> action) {
+    // should not be called by just anyone; do not increase access
+    private static <T> T run(PrivilegedAction<T> action) {
         if (System.getSecurityManager() != null) {
             return AccessController.doPrivileged(action);
         } else {
@@ -91,7 +92,8 @@ public class PrivilegedActions {
      * @param action - the action to run
      * @return result of running the action
      */
-    public static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
+    // should not be called by just anyone; do not increase access
+    private static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
         if (System.getSecurityManager() != null) {
             return AccessController.doPrivileged(action);
         } else {

Modified: bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
(original)
+++ bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
Fri Apr  6 15:47:04 2012
@@ -21,6 +21,7 @@ package org.apache.bval.jsr303;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collections;
@@ -40,7 +41,6 @@ import javax.validation.Payload;
 import javax.validation.ReportAsSingleViolation;
 
 import org.apache.bval.jsr303.groups.GroupsComputer;
-import org.apache.bval.jsr303.util.SecureActions;
 import org.apache.bval.jsr303.xml.AnnotationProxyBuilder;
 import org.apache.bval.util.AccessStrategy;
 
@@ -77,7 +77,7 @@ final class AnnotationConstraintBuilder<
     /** build attributes, payload, groups from 'annotation' */
     private void buildFromAnnotation() {
         if (constraintValidation.getAnnotation() != null) {
-            SecureActions.run(new PrivilegedAction<Object>() {
+            run(new PrivilegedAction<Object>() {
                 public Object run() {
                     for (Method method : constraintValidation.getAnnotation().annotationType().getDeclaredMethods())
{
                         // groups + payload must also appear in attributes (also
@@ -265,4 +265,12 @@ final class AnnotationConstraintBuilder<
             ((ConstraintValidation<Annotation>) composite).setAnnotation(newAnnot);
         }
     }
+
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
(original)
+++ bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
Fri Apr  6 15:47:04 2012
@@ -37,7 +37,6 @@ import org.apache.bval.MetaBeanFactory;
 import org.apache.bval.MetaBeanFinder;
 import org.apache.bval.MetaBeanManager;
 import org.apache.bval.jsr303.util.SecureActions;
-import org.apache.bval.util.PrivilegedActions;
 import org.apache.bval.xml.XMLMetaBeanBuilder;
 import org.apache.bval.xml.XMLMetaBeanFactory;
 import org.apache.bval.xml.XMLMetaBeanManager;
@@ -230,7 +229,7 @@ public class ApacheFactoryContext implem
     }
 
     private <F extends MetaBeanFactory> F createMetaBeanFactory(final Class<F>
cls) {
-        return PrivilegedActions.run(new PrivilegedAction<F>() {
+        return run(new PrivilegedAction<F>() {
 
             public F run() {
                 try {
@@ -296,4 +295,12 @@ public class ApacheFactoryContext implem
             throw new ValidationException("Unable to load class: " + className, ex);
         }
     }
+
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java (original)
+++ bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java Fri
Apr  6 15:47:04 2012
@@ -28,6 +28,8 @@ import javax.validation.spi.BootstrapSta
 import javax.validation.spi.ConfigurationState;
 import javax.validation.spi.ValidationProvider;
 import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.*;
 import java.util.logging.Logger;
 
@@ -239,7 +241,7 @@ public class ConfigurationImpl implement
      * @throws ValidationException if the ValidatorFactory cannot be built
      */
     public ValidatorFactory buildValidatorFactory() {
-        return SecureActions.run(SecureActions.doPrivBuildValidatorFactory(this));
+        return run(SecureActions.doPrivBuildValidatorFactory(this));
     }
 
     public ValidatorFactory doPrivBuildValidatorFactory() {
@@ -328,4 +330,11 @@ public class ConfigurationImpl implement
         this.providerClass = providerClass;
     }
 
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java (original)
+++ bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java Fri
Apr  6 15:47:04 2012
@@ -18,12 +18,11 @@
  */
 package org.apache.bval.jsr303;
 
-import org.apache.bval.jsr303.util.SecureActions;
-
 import javax.validation.ConstraintValidator;
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.annotation.Annotation;
+import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.*;
 import java.util.logging.Level;
@@ -94,7 +93,7 @@ public class ConstraintDefaults {
                 final String eachClassName = tokens.nextToken();
 
                 Class<?> constraintValidatorClass =
-                      SecureActions.run(new PrivilegedAction<Class<?>>() {
+                      run(new PrivilegedAction<Class<?>>() {
                           public Class<?> run() {
                               try {
                                   return Class.forName(eachClassName, true, classloader);
@@ -121,4 +120,12 @@ public class ConstraintDefaults {
         if (classloader == null) classloader = getClass().getClassLoader();
         return classloader;
     }
+
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
URL: http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
(original)
+++ bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
Fri Apr  6 15:47:04 2012
@@ -25,6 +25,8 @@ import org.apache.bval.jsr303.Constraint
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Locale;
 
 /**
@@ -57,9 +59,7 @@ public class ConstraintDefinitionValidat
      *            The annotation to check.
      */
     private static void validAttributes(final Annotation annotation) {
-        final Method[] methods = SecureActions.run(
-            SecureActions.getDeclaredMethods(annotation.annotationType())
-        );
+        final Method[] methods = run(SecureActions.getDeclaredMethods(annotation.annotationType()));
         for (Method method : methods ){
             // Currently case insensitive, the spec is unclear about this
             if (method.getName().toLowerCase(Locale.ENGLISH).startsWith("valid")) {
@@ -69,4 +69,11 @@ public class ConstraintDefinitionValidat
         }
     }
 
+    private static <T> T run(PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }



Mime
View raw message