felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Valentin Valchev (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FELIX-4652) Security problem with AbstractWebConsolePlugin.spoolResource
Date Thu, 25 Sep 2014 08:13:34 GMT
Valentin Valchev created FELIX-4652:

             Summary: Security problem with AbstractWebConsolePlugin.spoolResource
                 Key: FELIX-4652
                 URL: https://issues.apache.org/jira/browse/FELIX-4652
             Project: Felix
          Issue Type: Bug
          Components: Web Console
    Affects Versions: webconsole-4.2.2
            Reporter: Valentin Valchev
            Assignee: Valentin Valchev
             Fix For: webconsole-4.2.4

In AbstractWebConsolePlugin.spoolResource() reflection is used to find the method that will
actually provide the resource. However, using reflection will require that the web console
plugin to have the following permissions:
(java.lang.RuntimePermission "getClassLoader")
(java.lang.RuntimePermission "accessDeclaredMembers")
(java.lang.reflect.ReflectPermission "suppressAccessChecks")

This is due to some internals of the AbstractWebConsole, which actually should be run in a
privileged block.

This message was sent by Atlassian JIRA

View raw message