[jira] [Updated] (OGNL-23) Class.forName() usage is malicious inside OSGi

Sat, 22 Oct 2011 22:53:56 -0700 

     [ 
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adrian Cumiskey updated OGNL-23:
--------------------------------

    Attachment: patch-OGNL23-v2.txt

Hi Simone,

I have read your comments and I have had a little more time to review the code 
earlier and have made what I hope are some useful additions to my patch.

I found that there is provision in the existing code for the user to be able to 
configure their own ClassLoader.  This is achieved by calling 
OgnlContext.setClassResolver().  The problem with the current code is that this 
configured ClassResolver is not always being used by OGNL library.  For example 
the ExpressionCompiler is always resolved using the DefaultClassResolver and 
any user defined ClassResolver is ignored.

With this patch, all roads in the code base for class loading/resolving now 
point to OgnlRuntime.classForName().  This method firstly tries to resolve 
using the ClassResolver configured on the OgnlContext it is passed.  If none is 
configured it then defaults to using the DefaultClassResolver.  Hope this helps.

Cheers, Adrian.
                
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>            Assignee: Simone Tripodi
>         Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside 
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
> loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to