[jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi

["Simone Tripodi (Commented) (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133277#comment-13133277 ] 

Simone Tripodi commented on OGNL-23:
------------------------------------

This is simply amazing Adrian, thanks for your contribution!

IIUC how OGNL works, what is still a TODO is letting users defining their own ClassLoader to load external entities loaded from different loaders. Does it make sense?

In the meanwhile I'll apply your patch that's definitively better than the current implementation, thanks for your effort!

Simo
                
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>            Assignee: Simone Tripodi
>         Attachments: patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira