Security wholes in org.apache.bval.util.PrivilegedActions
---------------------------------------------------------
Key: BVAL-92
URL: https://issues.apache.org/jira/browse/BVAL-92
Project: BeanValidation
Issue Type: Bug
Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
Reporter: Jörg Waßmer
Priority: Critical
PrivilegedActions is public. It offers several method, e.g. getClassLoader()
which are executed surrounded by privileged actions. Thus any caller can get
e.g. a classloader, even if the caller has not the required permissions.
PrivilegedActions should offer only factory methods creating the privileged
actions. Then the callers should call AccessController.doPrivileged() for
themselves, such that the actions will be executed in the caller's security
domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
