bval-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roman Stumm (JIRA)" <>
Subject [jira] [Resolved] (BVAL-92) Security holes in org.apache.bval.util.PrivilegedActions
Date Thu, 25 Aug 2011 17:21:29 GMT


Roman Stumm resolved BVAL-92.

       Resolution: Fixed
    Fix Version/s: 0.4-incubating

Revision #1161648 
Committed by romanstumm at 25.08.11 19:14:15

applied patch "apache-bval-20110327231539-jw.diff" from Jörg Waßmer to fix Security holes
in org.apache.bval.util.PrivilegedActions. Removed all deprecated and unused methods by changing
the source code that still used deprecated methods.  

Also upgraded the apache-rat-plugin. 
Needed to enter a version for findbugs-maven-plugin, because I couldn't build with maven without

> Security holes in org.apache.bval.util.PrivilegedActions
> --------------------------------------------------------
>                 Key: BVAL-92
>                 URL:
>             Project: BeanValidation
>          Issue Type: Bug
>    Affects Versions: 0.2-incubating, 0.3-incubating, 0.4-incubating
>            Reporter: Jörg Waßmer
>            Assignee: Roman Stumm
>            Priority: Critical
>             Fix For: 0.4-incubating
>         Attachments: apache-bval-20110327092101-jw.diff, apache-bval-20110327231539-jw.diff
> PrivilegedActions is public. It offers several method, e.g. getClassLoader() which are
executed surrounded by privileged actions. Thus any caller can get e.g. a classloader, even
if the caller has not the required permissions.
> PrivilegedActions should offer only factory methods creating the privileged actions.
Then the callers should call AccessController.doPrivileged() for themselves, such that the
actions will be executed in the caller's security domain, instead of the domain of the BeanValidation

This message is automatically generated by JIRA.
For more information on JIRA, see:


View raw message