From 58cc4a90e863e71373e33ae29e30a2dc2f62f4e6 Mon Sep 17 00:00:00 2001 From: Wikum Weerakutti Date: Sun, 2 Jun 2024 13:27:33 +0530 Subject: [PATCH] TRUNK-6203: Global properties access should be privileged (#608) --- .../module/webservices/rest/web/RestUtil.java | 13 +++++++++++-- pom.xml | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java b/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java index 99fec532d..58b8cd58c 100644 --- a/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java +++ b/omod-common/src/main/java/org/openmrs/module/webservices/rest/web/RestUtil.java @@ -48,6 +48,7 @@ import org.openmrs.module.webservices.rest.web.resource.api.SubResource; import org.openmrs.module.webservices.validation.ValidationException; import org.openmrs.util.OpenmrsClassLoader; +import org.openmrs.util.PrivilegeConstants; import org.springframework.validation.FieldError; import org.springframework.validation.ObjectError; import org.springframework.web.bind.ServletRequestBindingException; @@ -210,8 +211,16 @@ public static boolean ipMatches(String ip, List candidateIps) { * @return the list of IPs */ public static List getAllowedIps() { - String allowedIpsProperty = Context.getAdministrationService() - .getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, ""); + String allowedIpsProperty = ""; + try { + Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + allowedIpsProperty = Context.getAdministrationService() + .getGlobalProperty(RestConstants.ALLOWED_IPS_GLOBAL_PROPERTY_NAME, allowedIpsProperty); + } + finally { + Context.removeProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES); + } + if (allowedIpsProperty.isEmpty()) { return Collections.emptyList(); diff --git a/pom.xml b/pom.xml index d6407d187..b734d08d2 100644 --- a/pom.xml +++ b/pom.xml @@ -33,7 +33,7 @@ UTF-8 - 1.9.10 + 1.11.6 1.6 1.6