commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simone Tripodi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OGNL-23) Class.forName() usage is malicious inside OSGi
Date Sat, 24 Sep 2011 21:44:26 GMT
Class.forName() usage is malicious inside OSGi
----------------------------------------------

                 Key: OGNL-23
                 URL: https://issues.apache.org/jira/browse/OGNL-23
             Project: OGNL
          Issue Type: Bug
            Reporter: Simone Tripodi


{{Class.forName()}} could make OGNL unusable [http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/|inside
OSGi].
The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom
{{ClassLoader}

Classes affected by that issues are:
 * {{org.apache.commons.ognl.DefaultClassResolver}}
 * {{org.apache.commons.ognl.OgnlRuntime}}
The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}}
in that way should be safe.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message