You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bval.apache.org by "Roman Stumm (JIRA)" <ji...@apache.org> on 2011/08/25 19:21:29 UTC
[jira] [Assigned] (BVAL-92) Security holes in
org.apache.bval.util.PrivilegedActions
[ https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roman Stumm reassigned BVAL-92:
-------------------------------
Assignee: Roman Stumm
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BeanValidation
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
> Reporter: Jörg Waßmer
> Assignee: Roman Stumm
> Priority: Critical
> Fix For: 0.4-incubating
>
> Attachments: apache-bval-20110327092101-jw.diff, apache-bval-20110327231539-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader() which are executed surrounded by privileged actions. Thus any caller can get e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged actions. Then the callers should call AccessController.doPrivileged() for themselves, such that the actions will be executed in the caller's security domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira