[
https://issues.apache.org/jira/browse/FELIX-6467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls closed FELIX-6467.
-----------------------------
> `AllPermission` not checked when updating `ConditionalPermissionAdmin`
> ----------------------------------------------------------------------
>
> Key: FELIX-6467
> URL: https://issues.apache.org/jira/browse/FELIX-6467
> Project: Felix
> Issue Type: Bug
> Components: Conditional Permission Admin
> Affects Versions: framework.security-2.8.1
> Reporter: Joel Dudley
> Assignee: Karl Pauls
> Priority: Major
> Fix For: framework-7.0.3, framework.security-2.8.3
>
>
> `ConditionalPermissionUpdate.commit()` should check whether the caller has
> `AllPermission` before committing the updated permissions. The Javadocs state:
> _"Throws:_
> _*SecurityException – If the caller does not have AllPermission.*_
> _IllegalStateException – If this update's Conditional Permissions are not
> valid or inconsistent. For example, this update has two Conditional
> Permissions in it with the same name"_
> This check is not performed (it is performed in the deprecated
> `addConditionalPermissionInfo()` and `setConditionalPermissionInfo()`
> methods).
> As a result, there is no way to prevent arbitrary code that can access the
> `ConditionalPermissionAdmin` from modifying the permissions at will.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
