Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 391FB9425 for ; Sun, 23 Oct 2011 05:53:55 +0000 (UTC) Received: (qmail 93739 invoked by uid 500); 23 Oct 2011 05:53:54 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 93683 invoked by uid 500); 23 Oct 2011 05:53:54 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 93675 invoked by uid 99); 23 Oct 2011 05:53:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Oct 2011 05:53:52 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Oct 2011 05:53:51 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 177E0317C99 for ; Sun, 23 Oct 2011 05:51:32 +0000 (UTC) Date: Sun, 23 Oct 2011 05:51:32 +0000 (UTC) From: "Adrian Cumiskey (Updated) (JIRA)" To: issues@commons.apache.org Message-ID: <1804822669.6279.1319349092097.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1135272959.9628.1316900666666.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Updated] (OGNL-23) Class.forName() usage is malicious inside OSGi MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adrian Cumiskey updated OGNL-23: -------------------------------- Attachment: patch-OGNL23-v2.txt Hi Simone, I have read your comments and I have had a little more time to review the code earlier and have made what I hope are some useful additions to my patch. I found that there is provision in the existing code for the user to be able to configure their own ClassLoader. This is achieved by calling OgnlContext.setClassResolver(). The problem with the current code is that this configured ClassResolver is not always being used by OGNL library. For example the ExpressionCompiler is always resolved using the DefaultClassResolver and any user defined ClassResolver is ignored. With this patch, all roads in the code base for class loading/resolving now point to OgnlRuntime.classForName(). This method firstly tries to resolve using the ClassResolver configured on the OgnlContext it is passed. If none is configured it then defaults to using the DefaultClassResolver. Hope this helps. Cheers, Adrian. > Class.forName() usage is malicious inside OSGi > ---------------------------------------------- > > Key: OGNL-23 > URL: https://issues.apache.org/jira/browse/OGNL-23 > Project: OGNL > Issue Type: Bug > Reporter: Simone Tripodi > Assignee: Simone Tripodi > Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt > > > {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/]. > The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom {{ClassLoader} > Classes affected by that issues are: > * {{org.apache.commons.ognl.DefaultClassResolver}} > * {{org.apache.commons.ognl.OgnlRuntime}} > The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}} in that way should be safe. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira