[jira] [Commented] (OGNL-23) Class.forName() usage is malicious inside OSGi

Sun, 23 Oct 2011 05:06:58 -0700 

    [ 
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133621#comment-13133621
 ] 

Hudson commented on OGNL-23:
----------------------------

Integrated in ognl #145 (See [https://builds.apache.org/job/ognl/145/])
    [OGNL-23] Class.forName() usage is malicious inside OSGi (contributed by 
Adrian Cumiskey)

simonetripodi : http://svn.apache.org/viewvc/?view=rev&rev=1187867
Files : 
* /commons/proper/ognl/trunk/src/changes/changes.xml
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTAnd.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTAssign.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTChain.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTCtor.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTList.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTMap.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTMethod.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTOr.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTProperty.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTStaticMethod.java
* /commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTTest.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ASTVarRef.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ClassResolver.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/DefaultClassResolver.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/ObjectPropertyAccessor.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/OgnlContext.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/OgnlRuntime.java
* 
/commons/proper/ognl/trunk/src/main/java/org/apache/commons/ognl/enhance/ExpressionCompiler.java
* 
/commons/proper/ognl/trunk/src/test/java/org/apache/commons/ognl/TestOgnlRuntime.java
* 
/commons/proper/ognl/trunk/src/test/java/org/apache/commons/ognl/test/ASTMethodTest.java
* 
/commons/proper/ognl/trunk/src/test/java/org/apache/commons/ognl/test/objects/BeanProviderAccessor.java

                
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>            Assignee: Simone Tripodi
>         Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside 
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
> loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to