DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101 SecurityManager + unprivileged call to getParameter() = Security Violation ------- Additional Comments From [EMAIL PROTECTED] 2002-08-29 16:55 ------- Actually I needed to add this slightly different permission to address the problem: permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; Are there any security vulnerabilities exposed to untrusted webapps with this permission granted? If the org.apache.catalina.util... packages are expected to be protected from untrusted/user code, are there missing PrivilegedAction blocks in the HttpRequestBase Catalina implementation for methods like getParameter() and getParameterNames()? The way I "masked" the bug (w/o granting the permission above to untrusted webapps) was to have a trusted filter that calls getParameterNames() for the first request of each context. (It's a hack, yes, but I figured this was safer than simply granting the permission to all webapps, since I wasn't sure if that compromised any security.) Thoughts? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
