[ https://issues.apache.org/jira/browse/FELIX-3992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Pauls resolved FELIX-3992. ------------------------------- Resolution: Fixed > Classloader access outside of a privileged block > ------------------------------------------------ > > Key: FELIX-3992 > URL: https://issues.apache.org/jira/browse/FELIX-3992 > Project: Felix > Issue Type: Bug > Components: Framework > Affects Versions: framework-4.2.0 > Reporter: Romain Dubois > Assignee: Karl Pauls > Priority: Minor > Labels: security > Fix For: framework-4.4.0 > > > In method > org.apache.felix.framework.ServiceRegistrationImpl.isClassAccessible(Class), > there is an access to the registered ServiceFactory classloader (lines > 163:169 in v4.2.1): > if ((m_factory != null) > && (m_factory.getClass().getClassLoader() instanceof > BundleReference) > && !((BundleReference) m_factory.getClass() > .getClassLoader()).getBundle().equals(m_bundle)) > { > return true; > } > If a bundle registers a service through a ServiceFactory and if there is an > active ServiceListener matching this service, those lines are executed inside > the registering bundle's protection domain. > If this bundle does not have the (java.util.RuntimePermission > 'getClassloader') privilege, the getClassLoader invocation throws a > SecurityException and the listener is always called because the exception is > catched at line 526 (isAssignableTo) of the same class. > The comment inside the catch block does not seem to justify this case. > I think a simple privileged block around the bundle comparison is harmless > and should fix this. It could be something like : > if (m_factory != null) > { > Bundle bundle = null; > if (System.getSecurityManager() == null) > { > if ((m_factory.getClass().getClassLoader() instanceof > BundleReference) { > bundle = ((BundleReference) > m_factory.getClass().getClassLoader()).getBundle(); > } > } > else > { > bundle = AccessController.doPrivileged(new > PrivilegedAction<Bundle>() { > public Bundle run() { > if ((m_factory.getClass().getClassLoader() instanceof > BundleReference) { > return ((BundleReference) > m_factory.getClass().getClassLoader()).getBundle(); > } > return null; > } > }); > } > > if (bundle != null && bundle.equals(m_bundle)) { > return true; > } > } -- This message was sent by Atlassian JIRA (v6.2#6252)