Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

First-time startup of OpenMRS via the setup wizard does not run module activators as Daemon (quick-fix) - TRUNK-3997 #324

Closed
wants to merge 1 commit into from
Closed

First-time startup of OpenMRS via the setup wizard does not run module activators as Daemon (quick-fix) - TRUNK-3997 #324

wants to merge 1 commit into from

Conversation

dkayiwa
Copy link
Member

@dkayiwa dkayiwa commented May 30, 2013

No description provided.

@dkayiwa
First-time startup of OpenMRS via the setup wizard does not run module
97faff1 
activators as Daemon (quick-fix) - TRUNK-3997
bmamlin
bmamlin reviewed May 30, 2013
View reviewed changes
web/src/main/java/org/openmrs/web/WebDaemon.java
* @param iniCompletionJob an instance of InitializationCompletion
* @since 1.9, 1.10
*/
public static void runInitializationCompletionJob(final InitializationCompletion iniCompletionJob) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a security hole. The daemon should not simply run a runnable that is passed to it; rather, it should invoke a specific, hardcoded method. For example, remove the parameter in this method and call an initializationCompletion() method within the InitializationFilter.

As it stands, anyone can create a runnable by creating an instance of InitializationCompletion & overriding run, send it to this method, and run there unauthorized as super user (daemon).

Daemon should never take a runnable as a parameter and simply run whatever it is passed on a daemon thread. This creates an effective runAsSuperUser(Runnable) method that bypasses any kind of security.

@dkayiwa dkayiwa closed this May 30, 2013
RandilaP pushed a commit to RandilaP/openmrs-core that referenced this pull request Jul 31, 2023
@FlorianRappl
O3-908 - Combine meta and index (openmrs#324)
98a6c6b 
* Prepare offline

* Fixed the version of the file size impact

* Include output optimizer

* Updated importmap

* Updated asset optimizer

* Improved documentation

* Improved translation

* Improved tooling w.r.t. dependent modules

* Updated docs

* Fixed usage of non-spa based path O3-1022

* Added offline capability button

* Fixed local representation

* Applied prettier

* Correctly mark openmrs dev dependency

* Put default webpack config in dedicated package
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@dkayiwa @bmamlin