subbudvk opened a new pull request, #1021: URL: https://github.com/apache/opennlp/pull/1021
## Changes
- ExtensionLoader: allowlist runs before Class.forName(). Default
allowed prefix is `opennlp.` covering all built-in factories and
serializers.
- Two opt-in ways for custom extension classes:
- System property: -DOPENNLP_EXT_ALLOWED_PACKAGES=com.acme.,com.other.
- Programmatic: ExtensionLoader.registerAllowedPackage(String)
- Prefix collision prevention: registered prefixes are dot-normalized so
`com.test` cannot be exploited via `com.testevil.*`.
- tests covering: default allow, rejection, registration, system
property, multi-package, prefix collision, and ordering invariant
(allowlist check happens before Class.forName even for non-existent
classes).
## Breaking change
Applications running custom factories or serializers from non-`opennlp.*`
packages will get ExtensionNotLoadedException on upgrade. Migration:
register the package before loading the model:
ExtensionLoader.registerAllowedPackage("com.example.nlp");
Or set at JVM startup:
-DOPENNLP_EXT_ALLOWED_PACKAGES=com.example.nlp.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
