You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (JIRA)" <ji...@apache.org> on 2013/03/25 12:45:15 UTC
[jira] [Assigned] (FELIX-3992) Classloader access outside of a
privileged block
[ https://issues.apache.org/jira/browse/FELIX-3992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls reassigned FELIX-3992:
---------------------------------
Assignee: Karl Pauls
Looks like something like your patch would make sense. Thanks, I'll try to get to it soon...
> Classloader access outside of a privileged block
> ------------------------------------------------
>
> Key: FELIX-3992
> URL: https://issues.apache.org/jira/browse/FELIX-3992
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: framework-4.2.0
> Reporter: Romain Dubois
> Assignee: Karl Pauls
> Priority: Minor
> Labels: security
>
> In method org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class), there is an access to the registered ServiceFactory classloader (lines 163:169 in v4.2.1):
> if ((m_factory != null)
> && (m_factory.getClass().getClassLoader() instanceof BundleReference)
> && !((BundleReference) m_factory.getClass()
> .getClassLoader()).getBundle().equals(m_bundle))
> {
> return true;
> }
> If a bundle registers a service through a ServiceFactory and if there is an active ServiceListener matching this service, those lines are executed inside the registering bundle's protection domain.
> If this bundle does not have the (java.util.RuntimePermission 'getClassloader') privilege, the getClassLoader invocation throws a SecurityException and the listener is always called because the exception is catched at line 526 (isAssignableTo) of the same class.
> The comment inside the catch block does not seem to justify this case.
> I think a simple privileged block around the bundle comparison is harmless and should fix this. It could be something like :
> if (m_factory != null)
> {
> Bundle bundle = null;
> if (System.getSecurityManager() == null)
> {
> if ((m_factory.getClass().getClassLoader() instanceof BundleReference) {
> bundle = ((BundleReference) m_factory.getClass().getClassLoader()).getBundle();
> }
> }
> else
> {
> bundle = AccessController.doPrivileged(new PrivilegedAction<Bundle>() {
> public Bundle run() {
> if ((m_factory.getClass().getClassLoader() instanceof BundleReference) {
> return ((BundleReference) m_factory.getClass().getClassLoader()).getBundle();
> }
> return null;
> }
> });
> }
>
> if (bundle != null && bundle.equals(m_bundle)) {
> return true;
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira