Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6CF1698A2 for ; Sun, 23 Oct 2011 14:34:55 +0000 (UTC) Received: (qmail 22964 invoked by uid 500); 23 Oct 2011 14:34:54 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 22898 invoked by uid 500); 23 Oct 2011 14:34:54 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 22890 invoked by uid 99); 23 Oct 2011 14:34:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Oct 2011 14:34:54 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Oct 2011 14:34:52 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 4F02A31796B for ; Sun, 23 Oct 2011 14:32:32 +0000 (UTC) Date: Sun, 23 Oct 2011 14:32:32 +0000 (UTC) From: "Simone Tripodi (Commented) (JIRA)" To: issues@commons.apache.org Message-ID: <1590858741.6659.1319380352325.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1135272959.9628.1316900666666.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133655#comment-13133655 ] Simone Tripodi commented on OGNL-23: ------------------------------------ Hi Adrian, what is amazing is how fast you've been on providing not only one, but even two solutions! Commons OGNL is one on top of my priorities right now, the Apache Struts and MyBatis communities are waiting for us! All the best, Simo > Class.forName() usage is malicious inside OSGi > ---------------------------------------------- > > Key: OGNL-23 > URL: https://issues.apache.org/jira/browse/OGNL-23 > Project: OGNL > Issue Type: Bug > Reporter: Simone Tripodi > Assignee: Simone Tripodi > Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt > > > {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/]. > The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom {{ClassLoader} > Classes affected by that issues are: > * {{org.apache.commons.ognl.DefaultClassResolver}} > * {{org.apache.commons.ognl.OgnlRuntime}} > The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}} in that way should be safe. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira