[
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jörg Waßmer updated BVAL-92:
----------------------------
Attachment: apache-bval-20110327231539-jw.diff
Here the diff against the trunk tree, without the patches for BVAL-91.
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BeanValidation
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
> Reporter: Jörg Waßmer
> Priority: Critical
> Attachments: apache-bval-20110327092101-jw.diff,
> apache-bval-20110327231539-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader()
> which are executed surrounded by privileged actions. Thus any caller can get
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged
> actions. Then the callers should call AccessController.doPrivileged() for
> themselves, such that the actions will be executed in the caller's security
> domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
