You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Pauls (Jira)" <ji...@apache.org> on 2021/11/03 14:06:00 UTC
[jira] [Resolved] (FELIX-6467) `AllPermission` not checked when
updating `ConditionalPermissionAdmin`
[ https://issues.apache.org/jira/browse/FELIX-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls resolved FELIX-6467.
-------------------------------
Resolution: Fixed
Thanks [~joeldudley] - I fixed it in https://github.com/apache/felix-dev/pull/113
Will do a release soon.
> `AllPermission` not checked when updating `ConditionalPermissionAdmin`
> ----------------------------------------------------------------------
>
> Key: FELIX-6467
> URL: https://issues.apache.org/jira/browse/FELIX-6467
> Project: Felix
> Issue Type: Bug
> Components: Conditional Permission Admin
> Affects Versions: framework.security-2.8.1
> Reporter: Joel Dudley
> Assignee: Karl Pauls
> Priority: Major
> Fix For: framework-7.0.2, framework.security-2.8.2
>
>
> `ConditionalPermissionUpdate.commit()` should check whether the caller has `AllPermission` before committing the updated permissions. The Javadocs state:
> _"Throws:_
> _*SecurityException – If the caller does not have AllPermission.*_
> _IllegalStateException – If this update's Conditional Permissions are not valid or inconsistent. For example, this update has two Conditional Permissions in it with the same name"_
> This check is not performed (it is performed in the deprecated `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()` methods).
> As a result, there is no way to prevent arbitrary code that can access the `ConditionalPermissionAdmin` from modifying the permissions at will.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)