Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[cache] Cache.cacheManager may be overwritten with a different CacheManager #10200

Closed
vbekiaris opened this issue Mar 31, 2017 · 0 comments
Closed

Comments

@vbekiaris
Copy link
Contributor

@vbekiaris vbekiaris commented Mar 31, 2017

Non-standard creation of Caches or a crafted URI/Classloader combination may overwrite an existing Cache's cacheManager field with a CacheManager that did not create the Cache.

HazelcastInstance hz = Hazelcast.newHazelcastInstance();
HazelcastInstance client = HazelcastClient.newHazelcastClient();
Properties properties = HazelcastCachingProvider.propertiesByInstanceItself(client);
CachingProvider caching = Caching.getCachingProvider("com.hazelcast.client.cache.impl.HazelcastClientCachingProvider");
CacheManager cacheManagerFoo = caching.getCacheManager(new URI("foo"), null, properties);
CacheManager cacheManagerBar = caching.getCacheManager(null, new MaliciousClassLoader(Bootstrap.class.getClassLoader()), properties);
CacheConfig cacheConfig = new CacheConfig("the-cache");
Cache cache1 = cacheManagerFoo.createCache("the-cache", cacheConfig);
// will print false, cache1.cacheManager is cacheManagerFoo
System.out.println(cache1.getCacheManager() == cacheManagerBar);
Cache cache2 = cacheManagerBar.getCache("the-cache");
// both statements below will print true
System.out.println(cache1 == cache2);
System.out.println(cache1.getCacheManager() == cacheManagerBar);

public static class MaliciousClassLoader extends ClassLoader {
        @Override
        public String toString() {
            return "foo";
        }
    }
@vbekiaris vbekiaris added this to the 3.9 milestone Mar 31, 2017
@vbekiaris vbekiaris self-assigned this Mar 31, 2017
@mmedenjak mmedenjak changed the title Cache.cacheManager may be overwritten with a different CacheManager [cache] Cache.cacheManager may be overwritten with a different CacheManager Jul 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.