...
| Code Block | ||
|---|---|---|
| ||
private void openFile(AccessControlContext context) {
final FileInputStream f[] = {null};
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
try {
f[0] = new FileInputStream("file");
} catch(FileNotFoundException cnf) {
System.err.println("Error: Operation could not be performed");
}
return null;
}
},context); // restrict the privileges by passing the context argument
}
// wrapper method
public void performActionOnFile(AccessControlContext acc) {
openFile(acc); // caller's AccessControlContext
}
|
Refer to the compliant solution of SER37-J. Do not deserialize from a privileged context for more details on creating protection domains with specific permissions.
Risk Assessment
Failure to follow the principle of least privilege can lead to privilege escalation attacks when a vulnerability is exploited.
...