reta commented on code in PR #3256:
URL: https://github.com/apache/cxf/pull/3256#discussion_r3484725084
##########
core/src/main/java/org/apache/cxf/resource/SecurityActions.java:
##########
@@ -33,9 +33,14 @@ static boolean fileExists(final File file, Permission
permission) {
if (sm == null) {
return file.exists();
}
- sm.checkPermission(permission);
+ // Move the permission check inside doPrivileged so the stack walk
stops
+ // at the doPrivileged boundary. Checking outside doPrivileged walks
all
+ // the way up to user-deployment code, which must not be required to
hold
+ // a CXF-internal permission. Inside doPrivileged only CXF's own
privilege
+ // context is checked, preserving the confused-deputy guard.
return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
public Boolean run() {
+ sm.checkPermission(permission);
Review Comment:
@ffang I do understand the motivation for this change but I believe it
significantly changes the (intended?) security posture and behavior.
Essentially, any caller will be granted the permission assuming cxf-core has
it, why do we have to change it now? Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
