https://issues.apache.org/bugzilla/show_bug.cgi?id=46096
Summary: DefaultAnnotationProcessor.processAnnotations should use
doPrivileged to call getDeclaredFields
Product: Tomcat 6
Version: 6.0.18
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: normal
Priority: P2
Component: Jasper
AssignedTo: dev@tomcat.apache.org
ReportedBy: [EMAIL PROTECTED]
If tomcat is running with a SecurityManager, and a JSP uses
PageContext.forward, DefaultAnnotationProcessor code can be called with
untristed code on the call stack.
The processAnnotations method contains the line:
Field[] fields = instance.getClass().getDeclaredFields();
getDeclaredFields() is subject to security checks so this throws a
java.security.AccessControlException.
DefaultAnnotationProcessor is part of the code in the catlina lib directory,
which is granted AllPermissions in the standard policy file. However, because
there is untrusted JSP code on the stack, these permissions are not used.
The call to getDeclaredFields() should be wrapped in an
AccessController.doPrivileged call to avoid the exception.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
