This is an automated email from the ASF dual-hosted git repository.
rmannibucau pushed a commit to tag 0.4
in repository https://gitbox.apache.org/repos/asf/bval.git
commit bce9e5fcd4da1ce0d4a5fe31a51402420c70cbc8
Author: mbenson <mbenson@13f79535-47bb-0310-9956-ffa450edef68>
AuthorDate: Fri Apr 6 15:47:04 2012 +0000
plug security holes
git-svn-id: http://svn.apache.org/repos/asf/bval/trunk@1310408
13f79535-47bb-0310-9956-ffa450edef68
---
.../src/main/java/org/apache/bval/util/FieldAccess.java | 17 +++++++++++++----
.../main/java/org/apache/bval/util/MethodAccess.java | 15 ++++++++++++---
.../java/org/apache/bval/util/PrivilegedActions.java | 6 ++++--
.../apache/bval/jsr303/AnnotationConstraintBuilder.java | 12 ++++++++++--
.../org/apache/bval/jsr303/ApacheFactoryContext.java | 11 +++++++++--
.../java/org/apache/bval/jsr303/ConfigurationImpl.java | 11 ++++++++++-
.../java/org/apache/bval/jsr303/ConstraintDefaults.java | 13 ++++++++++---
.../bval/jsr303/util/ConstraintDefinitionValidator.java | 13 ++++++++++---
8 files changed, 78 insertions(+), 20 deletions(-)
diff --git a/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
b/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
index 4873abf..9cbc31e 100644
--- a/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
+++ b/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
@@ -19,6 +19,7 @@ package org.apache.bval.util;
import java.lang.annotation.ElementType;
import java.lang.reflect.Field;
import java.lang.reflect.Type;
+import java.security.AccessController;
import java.security.PrivilegedAction;
/**
@@ -34,11 +35,11 @@ public class FieldAccess extends AccessStrategy {
*/
public FieldAccess(final Field field) {
this.field = field;
- if(!field.isAccessible()) {
- PrivilegedActions.run( new PrivilegedAction<Object>() {
- public Object run() {
+ if (!field.isAccessible()) {
+ run(new PrivilegedAction<Void>() {
+ public Void run() {
field.setAccessible(true);
- return (Object) null;
+ return null;
}
});
}
@@ -101,4 +102,12 @@ public class FieldAccess extends AccessStrategy {
public int hashCode() {
return field.hashCode();
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git a/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
b/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
index 2580872..2583fbb 100644
--- a/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
+++ b/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
@@ -21,6 +21,7 @@ import java.lang.annotation.ElementType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Type;
+import java.security.AccessController;
import java.security.PrivilegedAction;
/**
@@ -47,10 +48,10 @@ public class MethodAccess extends AccessStrategy {
this.method = method;
this.propertyName = propertyName;
if (!method.isAccessible()) {
- PrivilegedActions.run( new PrivilegedAction<Object>() {
- public Object run() {
+ run( new PrivilegedAction<Void>() {
+ public Void run() {
method.setAccessible(true);
- return (Object) null;
+ return null;
}
});
}
@@ -143,4 +144,12 @@ public class MethodAccess extends AccessStrategy {
public int hashCode() {
return method.hashCode();
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git
a/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
b/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
index 38b79e4..26c0936 100644
--- a/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
+++ b/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
@@ -77,7 +77,8 @@ public class PrivilegedActions {
* @param action - the action to run
* @return result of running the action
*/
- public static <T> T run(PrivilegedAction<T> action) {
+ // should not be called by just anyone; do not increase access
+ private static <T> T run(PrivilegedAction<T> action) {
if (System.getSecurityManager() != null) {
return AccessController.doPrivileged(action);
} else {
@@ -91,7 +92,8 @@ public class PrivilegedActions {
* @param action - the action to run
* @return result of running the action
*/
- public static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
+ // should not be called by just anyone; do not increase access
+ private static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
if (System.getSecurityManager() != null) {
return AccessController.doPrivileged(action);
} else {
diff --git
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
index be64f29..d6bf24d 100644
---
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
+++
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
@@ -21,6 +21,7 @@ package org.apache.bval.jsr303;
import java.lang.annotation.Annotation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collections;
@@ -40,7 +41,6 @@ import javax.validation.Payload;
import javax.validation.ReportAsSingleViolation;
import org.apache.bval.jsr303.groups.GroupsComputer;
-import org.apache.bval.jsr303.util.SecureActions;
import org.apache.bval.jsr303.xml.AnnotationProxyBuilder;
import org.apache.bval.util.AccessStrategy;
@@ -77,7 +77,7 @@ final class AnnotationConstraintBuilder<A extends Annotation>
{
/** build attributes, payload, groups from 'annotation' */
private void buildFromAnnotation() {
if (constraintValidation.getAnnotation() != null) {
- SecureActions.run(new PrivilegedAction<Object>() {
+ run(new PrivilegedAction<Object>() {
public Object run() {
for (Method method :
constraintValidation.getAnnotation().annotationType().getDeclaredMethods()) {
// groups + payload must also appear in attributes
(also
@@ -265,4 +265,12 @@ final class AnnotationConstraintBuilder<A extends
Annotation> {
((ConstraintValidation<Annotation>)
composite).setAnnotation(newAnnot);
}
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
index 51ba622..8072f59 100644
--- a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
+++ b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
@@ -37,7 +37,6 @@ import org.apache.bval.MetaBeanFactory;
import org.apache.bval.MetaBeanFinder;
import org.apache.bval.MetaBeanManager;
import org.apache.bval.jsr303.util.SecureActions;
-import org.apache.bval.util.PrivilegedActions;
import org.apache.bval.xml.XMLMetaBeanBuilder;
import org.apache.bval.xml.XMLMetaBeanFactory;
import org.apache.bval.xml.XMLMetaBeanManager;
@@ -230,7 +229,7 @@ public class ApacheFactoryContext implements
ValidatorContext {
}
private <F extends MetaBeanFactory> F createMetaBeanFactory(final Class<F>
cls) {
- return PrivilegedActions.run(new PrivilegedAction<F>() {
+ return run(new PrivilegedAction<F>() {
public F run() {
try {
@@ -296,4 +295,12 @@ public class ApacheFactoryContext implements
ValidatorContext {
throw new ValidationException("Unable to load class: " +
className, ex);
}
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
index 7cdd60e..27a1c42 100644
--- a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
+++ b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
@@ -28,6 +28,8 @@ import javax.validation.spi.BootstrapState;
import javax.validation.spi.ConfigurationState;
import javax.validation.spi.ValidationProvider;
import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.*;
import java.util.logging.Logger;
@@ -239,7 +241,7 @@ public class ConfigurationImpl implements
ApacheValidatorConfiguration, Configur
* @throws ValidationException if the ValidatorFactory cannot be built
*/
public ValidatorFactory buildValidatorFactory() {
- return
SecureActions.run(SecureActions.doPrivBuildValidatorFactory(this));
+ return run(SecureActions.doPrivBuildValidatorFactory(this));
}
public ValidatorFactory doPrivBuildValidatorFactory() {
@@ -328,4 +330,11 @@ public class ConfigurationImpl implements
ApacheValidatorConfiguration, Configur
this.providerClass = providerClass;
}
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
index eb10e77..3eb01f5 100644
--- a/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
+++ b/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
@@ -18,12 +18,11 @@
*/
package org.apache.bval.jsr303;
-import org.apache.bval.jsr303.util.SecureActions;
-
import javax.validation.ConstraintValidator;
import java.io.IOException;
import java.io.InputStream;
import java.lang.annotation.Annotation;
+import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.*;
import java.util.logging.Level;
@@ -94,7 +93,7 @@ public class ConstraintDefaults {
final String eachClassName = tokens.nextToken();
Class<?> constraintValidatorClass =
- SecureActions.run(new PrivilegedAction<Class<?>>() {
+ run(new PrivilegedAction<Class<?>>() {
public Class<?> run() {
try {
return Class.forName(eachClassName, true,
classloader);
@@ -121,4 +120,12 @@ public class ConstraintDefaults {
if (classloader == null) classloader = getClass().getClassLoader();
return classloader;
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
diff --git
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
index 138af3d..4b7b48b 100644
---
a/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
+++
b/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
@@ -25,6 +25,8 @@ import org.apache.bval.jsr303.ConstraintAnnotationAttributes;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Locale;
/**
@@ -57,9 +59,7 @@ public class ConstraintDefinitionValidator {
* The annotation to check.
*/
private static void validAttributes(final Annotation annotation) {
- final Method[] methods = SecureActions.run(
- SecureActions.getDeclaredMethods(annotation.annotationType())
- );
+ final Method[] methods =
run(SecureActions.getDeclaredMethods(annotation.annotationType()));
for (Method method : methods ){
// Currently case insensitive, the spec is unclear about this
if
(method.getName().toLowerCase(Locale.ENGLISH).startsWith("valid")) {
@@ -69,4 +69,11 @@ public class ConstraintDefinitionValidator {
}
}
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
