Joel Dudley created FELIX-6467:
----------------------------------
Summary: `AllPermission` not checked when updating
`ConditionalPermissionAdmin`
Key: FELIX-6467
URL: https://issues.apache.org/jira/browse/FELIX-6467
Project: Felix
Issue Type: Bug
Components: Conditional Permission Admin
Affects Versions: framework.security-2.8.1
Reporter: Joel Dudley
`ConditionalPermissionUpdate.commit()` should check whether the caller has
`AllPermission` before committing the updated permissions. The Javadocs state:
_"Throws:_
_*SecurityException – If the caller does not have AllPermission.*_
_IllegalStateException – If this update's Conditional Permissions are not
valid or inconsistent. For example, this update has two Conditional Permissions
in it with the same name"_
This check is not performed (it is performed in the deprecated
`addConditionalPermissionInfo()` and `setConditionalPermissionInfo()` methods).
As a result, there is no way to prevent arbitrary code that can access the
`ConditionalPermissionAdmin` from modifying the permissions at will.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
