...
When passed a null access control context, the two-argument doPrivileged() method will fail to reduce the current privileges to those of the previously saved context. Consequently, this code may grant excess privileges when the accessControlContext argument is null. Programmers who intend to call AccessController.doPrivileged() with a null access control context should explicitly pass the null constant.
...
This compliant solution prevents granting of excess privileges by ensuring that accessControlContext is non-null.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
if (accessControlContext == null) {
throw new SecurityException("Missing AccessControlContext");
}
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
// ...
}
}, accessControlContext); |
...
Security-sensitive methods must be thoroughly understood and their parameters validated (to prevent null arguments, for instance) in order to prevent corner cases with unexpected argument values. If unexpected argument values are passed to security-sensitive methods, arbitrary code execution becomes possible and privilege escalation becomes likely.
Bibliography
...