[
https://issues.apache.org/jira/browse/FELIX-3992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Romain Dubois updated FELIX-3992:
---------------------------------
Description:
In method
org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class),
there is an access to the registered ServiceFactory classloader (lines 163:169
in v4.2.1):
if ((m_factory != null)
&& (m_factory.getClass().getClassLoader() instanceof
BundleReference)
&& !((BundleReference) m_factory.getClass()
.getClassLoader()).getBundle().equals(m_bundle))
{
return true;
}
If a bundle registers a service through a ServiceFactory and if there is an
active ServiceListener matching this service, those lines are executed inside
the registering bundle's protection domain.
If this bundle does not have the (java.util.RuntimePermission 'getClassloader')
privilege, the getClassLoader invocation throws a SecurityException and the
listener is always called because the exception is catched at line 526
(isAssignableTo) of the same class.
The comment inside the catch block does not seem to justify this case.
I think a simple privileged block around the bundle comparison is harmless and
should fix this. It could be something like :
if (m_factory != null)
{
Bundle bundle = null;
if (System.getSecurityManager() == null)
{
if ((m_factory.getClass().getClassLoader() instanceof
BundleReference) {
bundle = ((BundleReference)
m_factory.getClass().getClassLoader()).getBundle();
}
}
else
{
bundle = AccessController.doPrivileged(new
PrivilegedAction<Bundle>() {
public Bundle run() {
if ((m_factory.getClass().getClassLoader() instanceof
BundleReference) {
return ((BundleReference)
m_factory.getClass().getClassLoader()).getBundle();
}
return null;
}
});
}
if (bundle != null && bundle.equals(m_bundle)) {
return true;
}
}
was:
In method
org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class),
there is an access to the registered ServiceFactory classloader (lines 163:169
in v4.2.1):
if ((m_factory != null)
&& (m_factory.getClass().getClassLoader() instanceof
BundleReference)
&& !((BundleReference) m_factory.getClass()
.getClassLoader()).getBundle().equals(m_bundle))
{
return true;
}
If abundle registers a service through a ServiceFactory and if there is an
active ServiceListener matching this service, those lines are executed inside
the registering bundle's protection domain.
If this bundle does not have the (java.util.RuntimePermission 'getClassloader')
privilege, the getClassLoader invocation throws a SecurityException and the
listener is always called because the exception is catched at line 526
(isAssignableTo) of the same class.
The comment inside the catch does not seem to justify this case.
I think a simple privileged block around the bundle comparison is harmless and
should fix this. It could be something like :
if (m_factory != null)
{
Bundle bundle = null;
if (System.getSecurityManager() == null)
{
if ((m_factory.getClass().getClassLoader() instanceof
BundleReference) {
bundle = ((BundleReference)
m_factory.getClass().getClassLoader()).getBundle();
}
}
else
{
bundle = AccessController.doPrivileged(new
PrivilegedAction<Bundle>() {
public Bundle run() {
if ((m_factory.getClass().getClassLoader() instanceof
BundleReference) {
return ((BundleReference)
m_factory.getClass().getClassLoader()).getBundle();
}
return null;
}
});
}
if (bundle != null && bundle.equals(m_bundle)) {
return true;
}
}
> Classloader access outside of a privileged block
> ------------------------------------------------
>
> Key: FELIX-3992
> URL: https://issues.apache.org/jira/browse/FELIX-3992
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: framework-4.2.0
> Reporter: Romain Dubois
> Priority: Minor
> Labels: security
>
> In method
> org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class),
> there is an access to the registered ServiceFactory classloader (lines
> 163:169 in v4.2.1):
> if ((m_factory != null)
> && (m_factory.getClass().getClassLoader() instanceof
> BundleReference)
> && !((BundleReference) m_factory.getClass()
> .getClassLoader()).getBundle().equals(m_bundle))
> {
> return true;
> }
> If a bundle registers a service through a ServiceFactory and if there is an
> active ServiceListener matching this service, those lines are executed inside
> the registering bundle's protection domain.
> If this bundle does not have the (java.util.RuntimePermission
> 'getClassloader') privilege, the getClassLoader invocation throws a
> SecurityException and the listener is always called because the exception is
> catched at line 526 (isAssignableTo) of the same class.
> The comment inside the catch block does not seem to justify this case.
> I think a simple privileged block around the bundle comparison is harmless
> and should fix this. It could be something like :
> if (m_factory != null)
> {
> Bundle bundle = null;
> if (System.getSecurityManager() == null)
> {
> if ((m_factory.getClass().getClassLoader() instanceof
> BundleReference) {
> bundle = ((BundleReference)
> m_factory.getClass().getClassLoader()).getBundle();
> }
> }
> else
> {
> bundle = AccessController.doPrivileged(new
> PrivilegedAction<Bundle>() {
> public Bundle run() {
> if ((m_factory.getClass().getClassLoader() instanceof
> BundleReference) {
> return ((BundleReference)
> m_factory.getClass().getClassLoader()).getBundle();
> }
> return null;
> }
> });
> }
>
> if (bundle != null && bundle.equals(m_bundle)) {
> return true;
> }
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
