bval-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Waßmer (JIRA) <j...@apache.org>
Subject [jira] Created: (BVAL-92) Security wholes in org.apache.bval.util.PrivilegedActions
Date Tue, 08 Mar 2011 00:25:00 GMT
Security wholes in org.apache.bval.util.PrivilegedActions
---------------------------------------------------------

                 Key: BVAL-92
                 URL: https://issues.apache.org/jira/browse/BVAL-92
             Project: BeanValidation
          Issue Type: Bug
    Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
            Reporter: Jörg Waßmer
            Priority: Critical


PrivilegedActions is public. It offers several method, e.g. getClassLoader() which are executed
surrounded by privileged actions. Thus any caller can get e.g. a classloader, even if the
caller has not the required permissions.

PrivilegedActions should offer only factory methods creating the privileged actions. Then
the callers should call AccessController.doPrivileged() for themselves, such that the actions
will be executed in the caller's security domain, instead of the domain of the BeanValidation
API.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message