[
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13114330#comment-13114330
]
Simone Tripodi commented on OGNL-23:
------------------------------------
There is the requirement that every Commons components is a valid OSGi bundle,
so OGNL has to satisfy OSGi requirements as well and the issue is not out of
scope.
{{ClassLoader.loadClass()}} works better than {{Class.forName()}} because
classes can be load from different {{ClassLoader}}s, so {{ClassNotFound}}
exceptions can be avoid using the proper class loader.
Of course, in a non-OSGi context, the default ClassLoader works like a charme.
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
> Key: OGNL-23
> URL: https://issues.apache.org/jira/browse/OGNL-23
> Project: OGNL
> Issue Type: Bug
> Reporter: Simone Tripodi
>
> {{Class.forName()}} could make OGNL unusable [inside
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
> * {{org.apache.commons.ognl.DefaultClassResolver}}
> * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if
> loading {{java.util.LinkedHashMap}} in that way should be safe.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
