1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
From: Markus Koschany <apo@debian.org>
Date: Thu, 11 Jan 2018 14:39:09 +0100
Subject: CVE-2017-7536
Bug-Debian: https://bugs.debian.org/885577
Origin: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113
---
.../validator/HibernateValidatorPermission.java | 29 ++++++++++++++++++++++
.../validator/internal/engine/ValidatorImpl.java | 6 +++++
.../util/privilegedactions/GetDeclaredField.java | 1 -
3 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
diff --git a/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
new file mode 100644
index 0000000..71b33b7
--- /dev/null
+++ b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
@@ -0,0 +1,29 @@
+/*
+ * Hibernate Validator, declare and validate application constraints
+ *
+ * License: Apache License, Version 2.0
+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
+ */
+package org.hibernate.validator;
+
+import java.security.BasicPermission;
+
+/**
+ * Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}.
+ * <p>
+ * {@code HibernateValidatorPermission} is thread-safe and immutable.
+ *
+ * @author Guillaume Smet
+ */
+public class HibernateValidatorPermission extends BasicPermission {
+
+ public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" );
+
+ public HibernateValidatorPermission(String name) {
+ super( name );
+ }
+
+ public HibernateValidatorPermission(String name, String actions) {
+ super( name, actions );
+ }
+}
diff --git a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
index 02d2b97..00b78e2 100644
--- a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
+++ b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
@@ -64,6 +64,7 @@ import org.hibernate.validator.internal.util.privilegedactions.SetAccessibility;
import org.hibernate.validator.method.MethodConstraintViolation;
import org.hibernate.validator.method.MethodValidator;
import org.hibernate.validator.method.metadata.TypeDescriptor;
+import org.hibernate.validator.HibernateValidatorPermission;
import static org.hibernate.validator.internal.util.CollectionHelper.newArrayList;
import static org.hibernate.validator.internal.util.CollectionHelper.newHashMap;
@@ -1426,6 +1427,11 @@ public class ValidatorImpl implements Validator, MethodValidator {
return member;
}
+ SecurityManager sm = System.getSecurityManager();
+ if ( sm != null ) {
+ sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
+ }
+
Class<?> clazz = original.getDeclaringClass();
if ( original instanceof Field ) {
diff --git a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
index 3617d63..8db6523 100644
--- a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
+++ b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
@@ -41,7 +41,6 @@ public final class GetDeclaredField implements PrivilegedAction<Field> {
public Field run() {
try {
final Field field = clazz.getDeclaredField( fieldName );
- field.setAccessible( true );
return field;
}
catch ( NoSuchFieldException e ) {
|
