You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2020/06/05 04:47:39 UTC
[karaf] branch karaf-4.2.x updated: Disallow calling
getMBeansFromURL
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch karaf-4.2.x
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.2.x by this push:
new 2ccfba4 Disallow calling getMBeansFromURL
2ccfba4 is described below
commit 2ccfba48bdfac6c2cd09c8f058641da0011e4c7e
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jun 3 17:37:44 2020 +0100
Disallow calling getMBeansFromURL
(cherry picked from commit 3e4c4bed2d08e81ca5961ab5fcadab23470db1c9)
---
.../apache/karaf/management/KarafMBeanServerGuard.java | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index ab2fd44..a1527cb 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -107,7 +107,7 @@ public class KarafMBeanServerGuard implements InvocationHandler {
} else if ("setAttributes".equals(method.getName())) {
handleSetAttributes(mbs, objectName, (AttributeList) args[1]);
} else if ("invoke".equals(method.getName())) {
- handleInvoke(objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
+ handleInvoke(mbs, objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
}
return null;
@@ -346,11 +346,20 @@ public class KarafMBeanServerGuard implements InvocationHandler {
return false;
}
- void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
- handleInvoke(null, objectName, operationName, params, signature);
+ void handleInvoke(MBeanServer mbs, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+ handleInvoke(mbs, null, objectName, operationName, params, signature);
}
- void handleInvoke(BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+ void handleInvoke(MBeanServer mbs, BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+ if (mbs != null && mbs.isInstanceOf(objectName, "javax.management.loading.MLet")
+ && ("addUrl".equals(operationName) || "getMBeansFromURL".equals(operationName))) {
+ SecurityException se = new SecurityException(operationName + " is not allowed to be invoked");
+ if (logger != null) {
+ logger.log(INVOKE, INVOKE_SIG, null, se, objectName, operationName, signature, params);
+ }
+ throw se;
+ }
+
if (context == null) {
context = BulkRequestContext.newContext(configAdmin);
}