I think a camelCase edit was missed in classfile/FieldOrMethod.java. The
method 'copy_' has constantPool in the arg list and constant_pool in the
body. constant_pool is class field and I don’t think the intention of copy_
is to reuse the existing ConstantPool.
Mark
-Original Message-
On 26/10/2022 08:58, Henri Biestro wrote:
Fair points, thank you. They seem to lead into the point of view that JEXL (or
any scripting solution?) should not expose any feature that could be considered
security-related avoiding the CVE potential turmoils alltogether. Trusted
sanitised input is
Looking on the plug-in side (1) if this hasn’t changed any and I’m reading
it correctly, seems like the json Node in use has no displayName or name
attributes present.
Reference
(1)
Validated signatures on the binary and src distributions.
Built from src.zip using:
maven install site -P jacoco -P japicmp
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: /usr/local/apache-maven-3
Java version: 11.0.16, vendor: Ubuntu, runtime:
Ping ;-)
On 2022/10/23 14:58:05 Gary Gregory wrote:
> We have fixed one bug since Apache Commons BCEL 6.6.0 was released, so
> I would like to release Apache Commons BCEL 6.6.1. This will help
> SpotBugs migrate from 6.5.0.
>
> Apache Commons BCEL 6.6.1 RC1 is available for review here:
>
+1
ASC and SHA512 files OK
Built from src zip with default Maven goal using:
Darwin 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10
PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home:
Fair points, thank you. They seem to lead into the point of view that JEXL (or
any scripting solution?) should not expose any feature that could be considered
security-related avoiding the CVE potential turmoils alltogether. Trusted
sanitised input is expected and required so this is a moot