Re: AbstractILFactory bug?
Hmm well spotted, better report that one :) Cheers, Peter. Sent from my Samsung device. Include original message Original message From: "Michał Kłeczek (XPro Sp. z o. o.)" Sent: 06/02/2017 07:51:20 pm To: dev@river.apache.org Subject: Re: AbstractILFactory bug? I'm talking about this: Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass() here!!! It should be: Util.checkPackageAccess(interfaces[i]); Michal Michał Kłeczek (XPro Sp. z o. o.) wrote: > I understand the check is needed. > > It is that we are not checking the right package but "java.lang" > > Thanks, > Michal > > Peter wrote: >> Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance >> permission check is caller sensitive. In this case >> AbstractILFactory is the caller, so not checking it would allow an >> attacker to bypass the check using AbstractILFactory. >> Cheers, >> >> Peter. >> >> Sent from my Samsung device. >> Include original message >> Original message >> From: "Michał Kłeczek (XPro Sp. z o. o.)" >> Sent: 06/02/2017 05:06:32 pm >> To: dev@river.apache.org >> Subject: AbstractILFactory bug? >> >> I have just found this piece of code in AbstractILFactory: >> >> Class[] interfaces = getProxyInterfaces(impl); >> ... >> for (int i = 0; i< interfaces.length; i++) { >> Util.checkPackageAccess(interfaces[i].getClass()); >> } >> >> So we check "java.lang" package access. >> >> A bug? >> >> Thanks, >> Michal >> >> >
Re: AbstractILFactory bug?
I'm talking about this: Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass() here!!! It should be: Util.checkPackageAccess(interfaces[i]); Michal Michał Kłeczek (XPro Sp. z o. o.) wrote: I understand the check is needed. It is that we are not checking the right package but "java.lang" Thanks, Michal Peter wrote: Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check is caller sensitive. In this case AbstractILFactory is the caller, so not checking it would allow an attacker to bypass the check using AbstractILFactory. Cheers, Peter. Sent from my Samsung device. Include original message Original message From: "Michał Kłeczek (XPro Sp. z o. o.)" Sent: 06/02/2017 05:06:32 pm To: dev@river.apache.org Subject: AbstractILFactory bug? I have just found this piece of code in AbstractILFactory: Class[] interfaces = getProxyInterfaces(impl); ... for (int i = 0; i< interfaces.length; i++) { Util.checkPackageAccess(interfaces[i].getClass()); } So we check "java.lang" package access. A bug? Thanks, Michal
Re: AbstractILFactory bug?
I understand the check is needed. It is that we are not checking the right package but "java.lang" Thanks, Michal Peter wrote: Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check is caller sensitive. In this case AbstractILFactory is the caller, so not checking it would allow an attacker to bypass the check using AbstractILFactory. Cheers, Peter. Sent from my Samsung device. Include original message Original message From: "Michał Kłeczek (XPro Sp. z o. o.)" Sent: 06/02/2017 05:06:32 pm To: dev@river.apache.org Subject: AbstractILFactory bug? I have just found this piece of code in AbstractILFactory: Class[] interfaces = getProxyInterfaces(impl); ... for (int i = 0; i< interfaces.length; i++) { Util.checkPackageAccess(interfaces[i].getClass()); } So we check "java.lang" package access. A bug? Thanks, Michal
Re: AbstractILFactory bug?
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check is caller sensitive. In this case AbstractILFactory is the caller, so not checking it would allow an attacker to bypass the check using AbstractILFactory. Cheers, Peter. Sent from my Samsung device. Include original message Original message From: "Michał Kłeczek (XPro Sp. z o. o.)" Sent: 06/02/2017 05:06:32 pm To: dev@river.apache.org Subject: AbstractILFactory bug? I have just found this piece of code in AbstractILFactory: Class[] interfaces = getProxyInterfaces(impl); ... for (int i = 0; i < interfaces.length; i++) { Util.checkPackageAccess(interfaces[i].getClass()); } So we check "java.lang" package access. A bug? Thanks, Michal
AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory: Class[] interfaces = getProxyInterfaces(impl); ... for (int i = 0; i < interfaces.length; i++) { Util.checkPackageAccess(interfaces[i].getClass()); } So we check "java.lang" package access. A bug? Thanks, Michal