karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KARAF-4204) Weak SecurityManager Check: Overridable Method
Date Tue, 15 Dec 2015 15:44:46 GMT
Eduardo Aguinaga created KARAF-4204:
---------------------------------------

             Summary: Weak SecurityManager Check: Overridable Method
                 Key: KARAF-4204
                 URL: https://issues.apache.org/jira/browse/KARAF-4204
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand were used to perform an application security analysis
of the karaf source code.

Non-final methods that perform security checks can be overridden in ways that bypass security
checks. See external issue for more information.

File: exception/src/main/java/java/lang/Exception.java
Line: 137

Exception.java, lines 137-153:
137 public Class[] getThrowableContext(Throwable t) {
138     try {
139         Class[] context = getClassContext();
140         int nb = 0;
141         for (;;) {
142             if (context[context.length - 1 - nb] == t.getClass()) {
143                 break;
144             }
145             nb++;
146         }
147         Class[] nc = new Class[nb];
148         System.arraycopy(context, context.length - nb, nc, 0, nb);
149         return nc;
150     } catch (Exception e) {
151         return null;
152     }
153 }




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message