[
https://issues.apache.org/jira/browse/FELIX-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls resolved FELIX-6467.
-------------------------------
Resolution: Fixed
Thanks [~joeldudley] - I fixed it in
https://github.com/apache/felix-dev/pull/113
Will do a release soon.
> `AllPermission` not checked when updating `ConditionalPermissionAdmin`
> ----------------------------------------------------------------------
>
> Key: FELIX-6467
> URL: https://issues.apache.org/jira/browse/FELIX-6467
> Project: Felix
> Issue Type: Bug
> Components: Conditional Permission Admin
> Affects Versions: framework.security-2.8.1
> Reporter: Joel Dudley
> Assignee: Karl Pauls
> Priority: Major
> Fix For: framework-7.0.2, framework.security-2.8.2
>
>
> `ConditionalPermissionUpdate.commit()` should check whether the caller has
> `AllPermission` before committing the updated permissions. The Javadocs state:
> _"Throws:_
> _*SecurityException – If the caller does not have AllPermission.*_
> _IllegalStateException – If this update's Conditional Permissions are not
> valid or inconsistent. For example, this update has two Conditional
> Permissions in it with the same name"_
> This check is not performed (it is performed in the deprecated
> `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()`
> methods).
> As a result, there is no way to prevent arbitrary code that can access the
> `ConditionalPermissionAdmin` from modifying the permissions at will.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
