[ https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adrian Cumiskey updated OGNL-23: -------------------------------- Attachment: patch-OGNL23-v2.txt Hi Simone, I have read your comments and I have had a little more time to review the code earlier and have made what I hope are some useful additions to my patch. I found that there is provision in the existing code for the user to be able to configure their own ClassLoader. This is achieved by calling OgnlContext.setClassResolver(). The problem with the current code is that this configured ClassResolver is not always being used by OGNL library. For example the ExpressionCompiler is always resolved using the DefaultClassResolver and any user defined ClassResolver is ignored. With this patch, all roads in the code base for class loading/resolving now point to OgnlRuntime.classForName(). This method firstly tries to resolve using the ClassResolver configured on the OgnlContext it is passed. If none is configured it then defaults to using the DefaultClassResolver. Hope this helps. Cheers, Adrian. > Class.forName() usage is malicious inside OSGi > ---------------------------------------------- > > Key: OGNL-23 > URL: https://issues.apache.org/jira/browse/OGNL-23 > Project: OGNL > Issue Type: Bug > Reporter: Simone Tripodi > Assignee: Simone Tripodi > Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt > > > {{Class.forName()}} could make OGNL unusable [inside > OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/]. > The fix would involve the {{ClassLoader.loadClass()}} method, allowing users > setting a custom {{ClassLoader} > Classes affected by that issues are: > * {{org.apache.commons.ognl.DefaultClassResolver}} > * {{org.apache.commons.ognl.OgnlRuntime}} > The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if > loading {{java.util.LinkedHashMap}} in that way should be safe. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira