[jira] [Work logged] (IO-712) SecurityExceptions are hidden instead of breaking the regular flow

Sun, 19 Sep 2021 12:01:08 -0700 


     [ 
https://issues.apache.org/jira/browse/IO-712?focusedWorklogId=652736&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-652736
 ]

ASF GitHub Bot logged work on IO-712:
-------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Sep/21 19:00
            Start Date: 19/Sep/21 19:00
    Worklog Time Spent: 10m 
      Work Description: garydgregory commented on pull request #197:
URL: https://github.com/apache/commons-io/pull/197#issuecomment-922520425


   I still don't buy it, just don't use the API if its POV is so wrong for your 
use case. If anything, we can better Javadoc this method. What do others think? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 652736)
    Time Spent: 1h  (was: 50m)

> SecurityExceptions are hidden instead of breaking the regular flow
> ------------------------------------------------------------------
>
>                 Key: IO-712
>                 URL: https://issues.apache.org/jira/browse/IO-712
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>    Affects Versions: 2.8.0
>            Reporter: Boris Unckel
>            Priority: Critical
>              Labels: Security, SecurityManager
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> Several points in the code hide SecurityException. These _must_ always 
> _break_ the regular control flow, if you're not the SecurityManager. 
> UseCase A: One wants to configure the SecurityManager and grant permissions. 
> Part of the application is to delete a file. If the permission is missing, 
> cleaning does not work. The missing exception does not allow to recognize 
> that.
>  UseCase B: One has activated the SecurityManager. An attacker abuses the 
> relevant method. The missing SecurityException hides this attempt, ones IDS 
> can't alarm.
>  UseCase C: One utilizes the SecurityManager to test the system, to ensure 
> every property (like file location) is set properly. The missing 
> SecurityException does not support this UseCase.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to