commit 924bab70c1fe953641c383752e70399c318fa15b
author Valentin Valchev <vvalchev@apache.org> Thu Sep 25 08:14:39 2014 +0000
committer Valentin Valchev <vvalchev@apache.org> Thu Sep 25 08:14:39 2014 +0000
tree 01b6b5361c1cc2d07709e31cdbf78eefe939ddec
parent cd4f1165ebb7e678df406c64aec648a415c63758

Fixed FELIX-4652 : Security problem with AbstractWebConsolePlugin.spoolResource
https://issues.apache.org/jira/browse/FELIX-4652

git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1627478 13f79535-47bb-0310-9956-ffa450edef68

webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java

diff --git a/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java b/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
index 328c3dd..d31b559 100644
--- a/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
+++ b/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
@@ -21,6 +21,9 @@
 import java.lang.reflect.*;
 import java.net.URL;
 import java.net.URLConnection;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.*;
 
 import javax.servlet.ServletConfig;
@@ -468,8 +471,7 @@
             }
         }
     }
-
-
+    
     /**
      * If the request addresses a resource which may be served by the
      * <code>getResource</code> method of the
@@ -488,7 +490,36 @@
      *
      * @throws IOException If an error occurs accessing or spooling the resource.
      */
-    private final boolean spoolResource( HttpServletRequest request, HttpServletResponse response ) throws IOException
+    private final boolean spoolResource(final HttpServletRequest request, 
+        final HttpServletResponse response) throws IOException
+    {
+        try
+        {
+            // We need to call spoolResource0 in privileged block because it uses reflection, which
+            // requires the following set of permissions:
+            // (java.lang.RuntimePermission "getClassLoader")
+            // (java.lang.RuntimePermission "accessDeclaredMembers")
+            // (java.lang.reflect.ReflectPermission "suppressAccessChecks")
+            // See also https://issues.apache.org/jira/browse/FELIX-4652
+            final Boolean ret = (Boolean) AccessController.doPrivileged(new PrivilegedExceptionAction()
+            {
+
+                public Object run() throws Exception
+                {
+                    return spoolResource0(request, response) ? Boolean.TRUE : Boolean.FALSE;
+                }
+            });
+            return ret.booleanValue();
+        }
+        catch (PrivilegedActionException e)
+        {
+            final Exception x = e.getException();
+            throw x instanceof IOException ? (IOException) x : new IOException(
+                x.toString());
+        }
+    }
+
+    final boolean spoolResource0( HttpServletRequest request, HttpServletResponse response ) throws IOException
     {
         // no resource if no resource accessor
         Method getResourceMethod = getGetResourceMethod();