[
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13114322#comment-13114322
]
Daniel Pitts commented on OGNL-23:
----------------------------------
Are you sure ClassLoader.loadClass() is a valid solution? It looks to me as if
that article basically says that "Class.forName" breaks OSGi solely because it
is dynamic and doesn't force dependency headers to be set correctly at
build-time. To me, that seems like it is out-of-scope for OGNL to handle.
ICBW, as I haven't really studied OSGi much.
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
> Key: OGNL-23
> URL: https://issues.apache.org/jira/browse/OGNL-23
> Project: OGNL
> Issue Type: Bug
> Reporter: Simone Tripodi
>
> {{Class.forName()}} could make OGNL unusable [inside
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
> * {{org.apache.commons.ognl.DefaultClassResolver}}
> * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if
> loading {{java.util.LinkedHashMap}} in that way should be safe.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
