[
https://issues.apache.org/jira/browse/BVAL-92?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matt Benson closed BVAL-92.
---------------------------
> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>
> Key: BVAL-92
> URL: https://issues.apache.org/jira/browse/BVAL-92
> Project: BVal
> Issue Type: Bug
> Affects Versions: 0.2-incubating, 0.3-incubating, 0.4
> Reporter: Jörg Waßmer
> Assignee: Roman Stumm
> Priority: Critical
> Fix For: 0.4
>
> Attachments: apache-bval-20110327092101-jw.diff,
> apache-bval-20110327231539-jw.diff
>
>
> PrivilegedActions is public. It offers several method, e.g. getClassLoader()
> which are executed surrounded by privileged actions. Thus any caller can get
> e.g. a classloader, even if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged
> actions. Then the callers should call AccessController.doPrivileged() for
> themselves, such that the actions will be executed in the caller's security
> domain, instead of the domain of the BeanValidation API.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
