[
https://issues.apache.org/jira/browse/FELIX-4197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved FELIX-4197.
--------------------------------------
Resolution: Fixed
Fixed in Rev. 1515315: permissions are now always checked for
Configuration.get/setBundleLocation.
> [CM] Always check permission on Configuration.get/setBundleLocation
> -------------------------------------------------------------------
>
> Key: FELIX-4197
> URL: https://issues.apache.org/jira/browse/FELIX-4197
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin, Specification compliance
> Affects Versions: configadmin-1.6.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: configadmin-1.8.0
>
>
> If the Configuration.getBundleLocation or Configuration.setBundleLocation is
> called, the permission is only checked if the current (or new) location is
> not the same as the calling bundle's own location. This is assumption is
> derived from 104.11.1 (Configuration Admin in Compendium Spec):
> > Every bundle has the implicit right to receive and configure configurations
> > with a location that exactly matches the Bundle’s location or that is null.
> Yet this assumption is wrong because this would allow bundles to actually
> circumvent the permissions set on the Bundle.getLocation() method requiring
> AdminPermission[this,METADATA] and to allow bundles to get to their locations
> without permission checking.
> The correct assumption is, that only CRUD configuration (properties) itself
> is allowed but not CRUD on the configuration's location binding.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
