You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (Jira)" <ji...@apache.org> on 2021/12/06 22:34:00 UTC
[jira] [Closed] (FELIX-6467) `AllPermission` not checked when updating `ConditionalPermissionAdmin`
[ https://issues.apache.org/jira/browse/FELIX-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls closed FELIX-6467.
-----------------------------
> `AllPermission` not checked when updating `ConditionalPermissionAdmin`
> ----------------------------------------------------------------------
>
> Key: FELIX-6467
> URL: https://issues.apache.org/jira/browse/FELIX-6467
> Project: Felix
> Issue Type: Bug
> Components: Conditional Permission Admin
> Affects Versions: framework.security-2.8.1
> Reporter: Joel Dudley
> Assignee: Karl Pauls
> Priority: Major
> Fix For: framework-7.0.3, framework.security-2.8.3
>
>
> `ConditionalPermissionUpdate.commit()` should check whether the caller has `AllPermission` before committing the updated permissions. The Javadocs state:
> _"Throws:_
> _*SecurityException – If the caller does not have AllPermission.*_
> _IllegalStateException – If this update's Conditional Permissions are not valid or inconsistent. For example, this update has two Conditional Permissions in it with the same name"_
> This check is not performed (it is performed in the deprecated `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()` methods).
> As a result, there is no way to prevent arbitrary code that can access the `ConditionalPermissionAdmin` from modifying the permissions at will.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)