[
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13011759#comment-13011759
]
Simone Tripodi commented on BVAL-92:
------------------------------------
thanks for your help! I'd like to ask you attaching two different patches for
each Issue, since they have been reported as two different critical errors
(even if they are about the same problem).
Many thanks in advance, and thanks once again
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BeanValidation
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
> Reporter: Jörg Waßmer
> Priority: Critical
> Attachments: apache-bval-20110327092101-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader()
> which are executed surrounded by privileged actions. Thus any caller can get
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged
> actions. Then the callers should call AccessController.doPrivileged() for
> themselves, such that the actions will be executed in the caller's security
> domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
