You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/03/30 11:41:05 UTC
[Bug 65736] Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection
https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
--- Comment #11 from Mark Thomas <ma...@apache.org> ---
I've implemented this alternative approach for 10.1.x. It isn't as generic as
forceString but it is sufficient to meet the original requirement.
Two questions:
1. Should we back-port this? If so, how far?
2. Do we want to expand conversion so if the setter is for Type T that we can't
convert and T has a constructor T(String) we use that constructor to create an
instance of T and then pass that to the setter?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 65736] Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection
Posted by Mark Thomas <ma...@apache.org>.
Ping.
On the topic of hardening, how far back do we want to do with this?
Mark
On 30/03/2022 12:41, bugzilla@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=65736
>
> --- Comment #11 from Mark Thomas <ma...@apache.org> ---
> I've implemented this alternative approach for 10.1.x. It isn't as generic as
> forceString but it is sufficient to meet the original requirement.
>
> Two questions:
> 1. Should we back-port this? If so, how far?
>
> 2. Do we want to expand conversion so if the setter is for Type T that we can't
> convert and T has a constructor T(String) we use that constructor to create an
> instance of T and then pass that to the setter?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org