[
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jörg Waßmer updated BVAL-92:
----------------------------
Summary: Security holes in org.apache.bval.util.PrivilegedActions (was:
Security wholes in org.apache.bval.util.PrivilegedActions)
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BeanValidation
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
> Reporter: Jörg Waßmer
> Priority: Critical
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader()
> which are executed surrounded by privileged actions. Thus any caller can get
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged
> actions. Then the callers should call AccessController.doPrivileged() for
> themselves, such that the actions will be executed in the caller's security
> domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
