[ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13114330#comment-13114330 ]
Simone Tripodi commented on OGNL-23: ------------------------------------ There is the requirement that every Commons components is a valid OSGi bundle, so OGNL has to satisfy OSGi requirements as well and the issue is not out of scope. {{ClassLoader.loadClass()}} works better than {{Class.forName()}} because classes can be load from different {{ClassLoader}}s, so {{ClassNotFound}} exceptions can be avoid using the proper class loader. Of course, in a non-OSGi context, the default ClassLoader works like a charme. > Class.forName() usage is malicious inside OSGi > ---------------------------------------------- > > Key: OGNL-23 > URL: https://issues.apache.org/jira/browse/OGNL-23 > Project: OGNL > Issue Type: Bug > Reporter: Simone Tripodi > > {{Class.forName()}} could make OGNL unusable [inside > OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/]. > The fix would involve the {{ClassLoader.loadClass()}} method, allowing users > setting a custom {{ClassLoader} > Classes affected by that issues are: > * {{org.apache.commons.ognl.DefaultClassResolver}} > * {{org.apache.commons.ognl.OgnlRuntime}} > The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if > loading {{java.util.LinkedHashMap}} in that way should be safe. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira