commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simone Tripodi (JIRA)" <>
Subject [jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi
Date Sun, 25 Sep 2011 19:08:26 GMT


Simone Tripodi commented on OGNL-23:

There is the requirement that every Commons components is a valid OSGi bundle, so OGNL has
to satisfy OSGi requirements as well and the issue is not out of scope.

{{ClassLoader.loadClass()}} works better than {{Class.forName()}} because classes can be load
from different {{ClassLoader}}s, so {{ClassNotFound}} exceptions can be avoid using the proper
class loader.

Of course, in a non-OSGi context, the default ClassLoader works like a charme.

> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>                 Key: OGNL-23
>                 URL:
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
> {{Class.forName()}} could make OGNL unusable [inside OSGi|].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting
a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}}
in that way should be safe.

This message is automatically generated by JIRA.
For more information on JIRA, see:


View raw message