You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Adrian Cumiskey (Updated) (JIRA)" <ji...@apache.org> on 2011/10/22 03:08:32 UTC

[jira] [Updated] (OGNL-23) Class.forName() usage is malicious inside OSGi

     [ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Cumiskey updated OGNL-23:
--------------------------------

    Attachment: patch-OGNL23.txt

This is a patch file which I believe should satisfy the issue.

All references to Class.forName() have been replaced with calls to OgnlContext.DEFAULT_CLASS_RESOLVER.classForName().  This method also previously used Class.forName and now it uses ClassLoader.loadClass().

Cheers, Adrian.
                
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>         Attachments: patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users setting a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira