You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@groovy.apache.org by "Jochen Theodorou (Jira)" <ji...@apache.org> on 2022/04/15 09:57:00 UTC

[jira] [Commented] (GROOVY-10582) Funnel checkPermission through VMPlugin (JEP-411)

    [ https://issues.apache.org/jira/browse/GROOVY-10582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522768#comment-17522768 ] 

Jochen Theodorou commented on GROOVY-10582:
-------------------------------------------

Did we ever consider this being a security risk? I mean there will be a public method, that gets to bypass the security manager. Normally the callsite sensitivity of the call for the privileged action would check that, but the callsite is gong to be always in the same class and the checking mechanism does not know to ignore it to get the "real" caller.

> Funnel checkPermission through VMPlugin (JEP-411)
> -------------------------------------------------
>
>                 Key: GROOVY-10582
>                 URL: https://issues.apache.org/jira/browse/GROOVY-10582
>             Project: Groovy
>          Issue Type: Sub-task
>            Reporter: Paul King
>            Assignee: Paul King
>            Priority: Major
>
> We can reduce our exposure to JEP-411 by funnelling calls to SecurityManager#checkPermission through the VMPlugin.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)