jbonofre commented on code in PR #3376:
URL: https://github.com/apache/avro/pull/3376#discussion_r2081763069
##########
lang/java/avro/src/main/java/org/apache/avro/specific/SpecificDatumReader.java:
##########
@@ -133,6 +148,12 @@ private void checkSecurity(Class clazz) throws
ClassNotFoundException {
return;
}
+ for (String trustedClass : getTrustedClasses()) {
Review Comment:
@martin-g to get the package, we need to get the class (with
`ClassUtils.forName()`). If we do the `checkSecurity` with just class name (not
the class itself), then we don't do package check.
If we want to do both, we need to split the check in two steps:
- class name first
- package once we have the class loaded
As we deprecate packages (in favor of class name), I think we can focus only
on class name, right ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
