Re: AbstractILFactory bug?
Hmm well spotted, better report that one :)
Cheers,
Peter.
Sent from my Samsung device.
Include original message
Original message
From: "Michał Kłeczek (XPro Sp. z o. o.)"
Sent: 06/02/2017 07:51:20 pm
To: dev@river.apache.org
Subject: Re: AbstractILFactory bug?
I'm talking about this:
Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass()
here!!!
It should be:
Util.checkPackageAccess(interfaces[i]);
Michal
Michał Kłeczek (XPro Sp. z o. o.) wrote:
> I understand the check is needed.
>
> It is that we are not checking the right package but "java.lang"
>
> Thanks,
> Michal
>
> Peter wrote:
>> Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance
>> permission check is caller sensitive. In this case
>> AbstractILFactory is the caller, so not checking it would allow an
>> attacker to bypass the check using AbstractILFactory.
>> Cheers,
>>
>> Peter.
>>
>> Sent from my Samsung device.
>> Include original message
>> Original message
>> From: "Michał Kłeczek (XPro Sp. z o. o.)"
>> Sent: 06/02/2017 05:06:32 pm
>> To: dev@river.apache.org
>> Subject: AbstractILFactory bug?
>>
>> I have just found this piece of code in AbstractILFactory:
>>
>> Class[] interfaces = getProxyInterfaces(impl);
>> ...
>> for (int i = 0; i< interfaces.length; i++) {
>> Util.checkPackageAccess(interfaces[i].getClass());
>> }
>>
>> So we check "java.lang" package access.
>>
>> A bug?
>>
>> Thanks,
>> Michal
>>
>>
>
Re: AbstractILFactory bug?
I'm talking about this:
Util.checkPackageAccess(interfaces[i].getClass()); //NOTE the getClass()
here!!!
It should be:
Util.checkPackageAccess(interfaces[i]);
Michal
Michał Kłeczek (XPro Sp. z o. o.) wrote:
I understand the check is needed.
It is that we are not checking the right package but "java.lang"
Thanks,
Michal
Peter wrote:
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance
permission check is caller sensitive. In this case
AbstractILFactory is the caller, so not checking it would allow an
attacker to bypass the check using AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
Original message
From: "Michał Kłeczek (XPro Sp. z o. o.)"
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i< interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
Re: AbstractILFactory bug?
I understand the check is needed.
It is that we are not checking the right package but "java.lang"
Thanks,
Michal
Peter wrote:
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check is caller sensitive. In this case AbstractILFactory is the caller, so not checking it would allow an attacker to bypass the check using AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
Original message
From: "Michał Kłeczek (XPro Sp. z o. o.)"
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i< interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
Re: AbstractILFactory bug?
Ok, worked out why, java.lang.reflect.Proxy's newProxyInstance permission check
is caller sensitive. In this case AbstractILFactory is the caller, so not
checking it would allow an attacker to bypass the check using
AbstractILFactory.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
Original message
From: "Michał Kłeczek (XPro Sp. z o. o.)"
Sent: 06/02/2017 05:06:32 pm
To: dev@river.apache.org
Subject: AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i < interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
AbstractILFactory bug?
I have just found this piece of code in AbstractILFactory:
Class[] interfaces = getProxyInterfaces(impl);
...
for (int i = 0; i < interfaces.length; i++) {
Util.checkPackageAccess(interfaces[i].getClass());
}
So we check "java.lang" package access.
A bug?
Thanks,
Michal
