Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3116A75BB for ; Sat, 22 Oct 2011 06:56:57 +0000 (UTC) Received: (qmail 22875 invoked by uid 500); 22 Oct 2011 06:56:56 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 22813 invoked by uid 500); 22 Oct 2011 06:56:55 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 22602 invoked by uid 99); 22 Oct 2011 06:56:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 22 Oct 2011 06:56:53 +0000 X-ASF-Spam-Status: No, hits=-2000.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 22 Oct 2011 06:56:51 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 14B61316CDF for ; Sat, 22 Oct 2011 06:54:32 +0000 (UTC) Date: Sat, 22 Oct 2011 06:54:32 +0000 (UTC) From: "Simone Tripodi (Commented) (JIRA)" To: issues@commons.apache.org Message-ID: <299195049.4545.1319266472086.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1135272959.9628.1316900666666.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133277#comment-13133277 ] Simone Tripodi commented on OGNL-23: ------------------------------------ This is simply amazing Adrian, thanks for your contribution! IIUC how OGNL works, what is still a TODO is letting users defining their own ClassLoader to load external entities loaded from different loaders. Does it make sense? In the meanwhile I'll apply your patch that's definitively better than the current implementation, thanks for your effort! Simo > Class.forName() usage is malicious inside OSGi > ---------------------------------------------- > > Key: OGNL-23 > URL: https://issues.apache.org/jira/browse/OGNL-23 > Project: OGNL > Issue Type: Bug > Reporter: Simone Tripodi > Assignee: Simone Tripodi > Attachments: patch-OGNL23.txt > > > {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/]. > The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom {{ClassLoader} > Classes affected by that issues are: > * {{org.apache.commons.ognl.DefaultClassResolver}} > * {{org.apache.commons.ognl.OgnlRuntime}} > The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}} in that way should be safe. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira