[OGNL-182] Class.forName() usage is malicious inside OSGi - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.0
Component/s: None
Labels:
None

Description

Class.forName() could make OGNL unusable inside OSGi.
The fix would involve the ClassLoader.loadClass() method, allowing users setting a custom {{ClassLoader}

Classes affected by that issues are:

org.apache.commons.ognl.DefaultClassResolver
org.apache.commons.ognl.OgnlRuntime

The org.apache.commons.ognl.ASTMap class is affected as well, even if loading java.util.LinkedHashMap in that way should be safe.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

patch-OGNL23.txt
22/Oct/11 01:07
5 kB
Adrian Cumiskey
patch-OGNL23-v2.txt
23/Oct/11 05:51
37 kB
Adrian Cumiskey

Activity

People

Assignee:: Simone Tripodi

Reporter:: Simone Tripodi

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 24/Sep/11 21:44

Updated:: 27/Mar/13 12:37

Resolved:: 23/Oct/11 11:33