Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1703

Checking isSymbolicLink should be in doPrivileged block

    XMLWordPrintable

Details

    Description

      The PathResourceManager.getSymlinkBase() method tires to check parent directories in the loop:

              for (int i = nameCount - 1; i>=0; i--) {
            if (Files.isSymbolicLink(f)) {
                return new SymlinkResult(i+1 > rootCount, f);
            }
            f = f.getParent();
        }

      So, when security manager is enabled, there is no way to grant suitable FilePermissions to this, and it will fail the security check if not <<ALL FILES>> is granted.

      Propose to move the part:

      Files.isSymbolicLink(f)

      in a doPrivileged block once security manager is enabled.

      Attachments

        Issue Links

          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-19256 [GSS](7.2.z) UNDERTOW-1703 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-19264 [GSS](7.3.z) WFLY-13392 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. WFLY-13392 WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-4942 Upgrade Undertow to 2.1.1.Final fixes CVE-2020-10719

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-engineering-lgao Lin Gao
              rhn-engineering-lgao Lin Gao
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: