commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simone Tripodi (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi
Date Sat, 22 Oct 2011 06:54:32 GMT

    [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133277#comment-13133277
] 

Simone Tripodi commented on OGNL-23:
------------------------------------

This is simply amazing Adrian, thanks for your contribution!

IIUC how OGNL works, what is still a TODO is letting users defining their own ClassLoader
to load external entities loaded from different loaders. Does it make sense?

In the meanwhile I'll apply your patch that's definitively better than the current implementation,
thanks for your effort!

Simo
                
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>            Assignee: Simone Tripodi
>         Attachments: patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting
a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}}
in that way should be safe.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message