commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adrian Cumiskey (Updated) (JIRA)" <>
Subject [jira] [Updated] (OGNL-23) Class.forName() usage is malicious inside OSGi
Date Sun, 23 Oct 2011 05:51:32 GMT


Adrian Cumiskey updated OGNL-23:

    Attachment: patch-OGNL23-v2.txt

Hi Simone,

I have read your comments and I have had a little more time to review the code earlier and
have made what I hope are some useful additions to my patch.

I found that there is provision in the existing code for the user to be able to configure
their own ClassLoader.  This is achieved by calling OgnlContext.setClassResolver().  The problem
with the current code is that this configured ClassResolver is not always being used by OGNL
library.  For example the ExpressionCompiler is always resolved using the DefaultClassResolver
and any user defined ClassResolver is ignored.

With this patch, all roads in the code base for class loading/resolving now point to OgnlRuntime.classForName().
 This method firstly tries to resolve using the ClassResolver configured on the OgnlContext
it is passed.  If none is configured it then defaults to using the DefaultClassResolver. 
Hope this helps.

Cheers, Adrian.
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>                 Key: OGNL-23
>                 URL:
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>            Assignee: Simone Tripodi
>         Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt
> {{Class.forName()}} could make OGNL unusable [inside OSGi|].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting
a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}}
in that way should be safe.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message