[
https://issues.apache.org/jira/browse/VELOCITY-941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cesar Hernandez updated VELOCITY-941:
-------------------------------------
Fix Version/s: (was: 2.3)
1.7.x
> 1.7.x backport for SecureUberspector should block methods on ClassLoader and
> subclasses
> ---------------------------------------------------------------------------------------
>
> Key: VELOCITY-941
> URL: https://issues.apache.org/jira/browse/VELOCITY-941
> Project: Velocity
> Issue Type: Improvement
> Reporter: Cesar Hernandez
> Assignee: William Glass-Husain
> Priority: Major
> Fix For: 1.7.x
>
>
> Currently, SecureUberspector matches classes stored with property
> "introspector.restrict.classes", which includes ClassLoader. It then
> matches exact class names and blocks all methods from being called on that
> class.
> However, in most cases it's actually a subclass of ClassLoader that's
> available in the context, which under normal circumstances would not be
> blocked.
> My proposal – treat this as a special case. (Remove it from the
> configuration). If the class being inspected is assignable from ClassLoader,
> then block it.
> You could make an argument that all the SecureUberspector should check if the
> class isAssignable from all configured classes, but I am concerned about
> possible performance penalties. I'd argue that we should hard code checks
> for a few special internal classes but force the user to configure other
> specific classes themselves.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
