tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46096] New: DefaultAnnotationProcessor.processAnnotations should use doPrivileged to call getDeclaredFields
Date Mon, 27 Oct 2008 12:44:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46096

           Summary: DefaultAnnotationProcessor.processAnnotations should use
                    doPrivileged to call getDeclaredFields
           Product: Tomcat 6
           Version: 6.0.18
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Jasper
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: richard.evans@datanomic.com


If tomcat is running with a SecurityManager, and a JSP uses
PageContext.forward, DefaultAnnotationProcessor code can be called with
untristed code on the call stack.

The processAnnotations method contains the line:

   Field[] fields = instance.getClass().getDeclaredFields();

getDeclaredFields() is subject to security checks so this throws a
java.security.AccessControlException.

DefaultAnnotationProcessor is part of the code in the catlina lib directory,
which is granted AllPermissions in the standard policy file.  However, because
there is untrusted JSP code on the stack, these permissions are not used.

The call to getDeclaredFields() should be wrapped in an
AccessController.doPrivileged call to avoid the exception.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message