SEC-1300: ArrayIndex out of bounds in AclImpl #1546

Closed
spring-issuemaster opened this Issue Nov 19, 2009 · 2 comments

1 participant

@spring-issuemaster

Tim (Migrated from SEC-1300) said:

In AclImpl#verifyAceIndexExists(...)
I think this is an "off by one" bug. I may be wrong but shouldn't
this:

    if (aceIndex > this.aces.size()) {
        throw new NotFoundException("aceIndex must correctly refer to an index of the AccessControlEntry collection");
    }

be this:

    if (aceIndex > this.aces.size() - 1) {
        throw new NotFoundException("aceIndex must correctly refer to an index of the AccessControlEntry collection");
    }

Since I'm getting the exception but wondered how it passed verifyAceIndexExists?:

eption Handler execution resulted in exception - forwarding to resolved error view
java.lang.IndexOutOfBoundsException: Index: 2, Size: 2
at java.util.ArrayList.RangeCheck(ArrayList.java:572)
at java.util.ArrayList.remove(ArrayList.java:415)
at org.springframework.security.acls.domain.AclImpl.deleteAce(AclImpl.java:131)
at com.acme.app.springframework.security.AclSecurityServiceImpl.replaceUserPermissions(AclSecurityServiceImpl.jav

@spring-issuemaster

Luke Taylor said:

Appears to already be fixed as SEC-1151

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
@spring-issuemaster

This issue duplicates #1399

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment