[
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Roman Stumm resolved BVAL-92.
-----------------------------
Resolution: Fixed
Fix Version/s: 0.4-incubating
Revision #1161648
Committed by romanstumm at 25.08.11 19:14:15
applied patch "apache-bval-20110327231539-jw.diff" from Jörg Waßmer to fix
Security holes in org.apache.bval.util.PrivilegedActions. Removed all
deprecated and unused methods by changing the source code that still used
deprecated methods.
Also upgraded the apache-rat-plugin.
Needed to enter a version for findbugs-maven-plugin, because I couldn't build
with maven without it.
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BeanValidation
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
> Reporter: Jörg Waßmer
> Assignee: Roman Stumm
> Priority: Critical
> Fix For: 0.4-incubating
>
> Attachments: apache-bval-20110327092101-jw.diff,
> apache-bval-20110327231539-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader()
> which are executed surrounded by privileged actions. Thus any caller can get
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged
> actions. Then the callers should call AccessController.doPrivileged() for
> themselves, such that the actions will be executed in the caller's security
> domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
