You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2020/06/05 04:46:59 UTC

[karaf] branch master updated: Disallow calling getMBeansFromURL

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/master by this push:
     new 3e4c4be  Disallow calling getMBeansFromURL
     new 310ff72  Merge pull request #1135 from coheigea/jmx_mlet
3e4c4be is described below

commit 3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jun 3 17:37:44 2020 +0100

    Disallow calling getMBeansFromURL
---
 .../apache/karaf/management/KarafMBeanServerGuard.java  | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
index a255587..43c258e 100644
--- a/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
+++ b/management/server/src/main/java/org/apache/karaf/management/KarafMBeanServerGuard.java
@@ -106,7 +106,7 @@ public class KarafMBeanServerGuard implements InvocationHandler {
         } else if ("setAttributes".equals(method.getName())) {
             handleSetAttributes(mbs, objectName, (AttributeList) args[1]);
         } else if ("invoke".equals(method.getName())) {
-            handleInvoke(objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
+            handleInvoke(mbs, objectName, (String) args[1], (Object[]) args[2], (String[]) args[3]);
         }
 
         return null;
@@ -345,11 +345,20 @@ public class KarafMBeanServerGuard implements InvocationHandler {
         return false;
     }
 
-    void handleInvoke(ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
-        handleInvoke(null, objectName, operationName, params, signature);
+    void handleInvoke(MBeanServer mbs, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+        handleInvoke(mbs, null, objectName, operationName, params, signature);
     }
 
-    void handleInvoke(BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException {
+    void handleInvoke(MBeanServer mbs, BulkRequestContext context, ObjectName objectName, String operationName, Object[] params, String[] signature) throws IOException, InstanceNotFoundException {
+        if (mbs != null && mbs.isInstanceOf(objectName, "javax.management.loading.MLet")
+            && ("addUrl".equals(operationName) || "getMBeansFromURL".equals(operationName))) {
+            SecurityException se = new SecurityException(operationName + " is not allowed to be invoked");
+            if (logger != null) {
+                logger.log(INVOKE, INVOKE_SIG, null, se, objectName, operationName, signature, params);
+            }
+            throw se;
+        }
+
         if (context == null) {
             context = BulkRequestContext.newContext(configAdmin);
         }