[
https://issues.apache.org/jira/browse/VELOCITY-941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cesar Hernandez updated VELOCITY-941:
-------------------------------------
Description:
This is a backport for [https://github.com/apache/velocity-engine/tree/1.7.x]
branchj
was:
Currently, SecureUberspector matches classes stored with property
"introspector.restrict.classes", which includes ClassLoader. It then matches
exact class names and blocks all methods from being called on that class.
However, in most cases it's actually a subclass of ClassLoader that's available
in the context, which under normal circumstances would not be blocked.
My proposal – treat this as a special case. (Remove it from the
configuration). If the class being inspected is assignable from ClassLoader,
then block it.
You could make an argument that all the SecureUberspector should check if the
class isAssignable from all configured classes, but I am concerned about
possible performance penalties. I'd argue that we should hard code checks for
a few special internal classes but force the user to configure other specific
classes themselves.
> 1.7.x backport for SecureUberspector should block methods on ClassLoader and
> subclasses
> ---------------------------------------------------------------------------------------
>
> Key: VELOCITY-941
> URL: https://issues.apache.org/jira/browse/VELOCITY-941
> Project: Velocity
> Issue Type: Improvement
> Reporter: Cesar Hernandez
> Assignee: William Glass-Husain
> Priority: Major
> Fix For: 1.7.x
>
>
> This is a backport for [https://github.com/apache/velocity-engine/tree/1.7.x]
> branchj
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
