nandorKollar commented on code in PR #3376:
URL: https://github.com/apache/avro/pull/3376#discussion_r2081385949
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -133,6 +148,12 @@ private void checkSecurity(Class clazz) throws
ClassNotFoundException {
return;
}
+ for (String trustedClass : getTrustedClasses()) {
Review Comment:
> I agree that this would be slightly better but I don't see a problem with
the class loading. As long as it is not instantiated it should be OK.
Although we block class instantiation if the given class isn't whitelisted,
one can still trigger execution of a static initialiser block of any class from
the classpath I think, when we load the class before checking if it is
whitelisted or not. When we don't even load the class, then it isn't cause any
possible headache either in the future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
