Is it possible that TIFFTagSet will be extended by the user and passed
via xml? In this case will we able to load the user's class via forName?
On 04.08.16 18:31, Philip Race wrote:
+1
-phil
On 8/4/16, 4:55 AM, Jayathirth D V wrote:
Hi,
Please review the following fix in JDK9 at your convenience:
Bug : https://bugs.openjdk.java.net/browse/JDK-8160455
Webrev : http://cr.openjdk.java.net/~jdv/8160455/webrev.00/
<http://cr.openjdk.java.net/%7Ejdv/8160455/webrev.00/>
Root cause : We are directly getting string present in XML DOM tree
from attribute “tagSets” and creating class from it using
class.forName(). XML DOM tree string can be an invalid also which we
don’t check.
Solution : Verify whether the string from XML DOM tree maps to any of
the subclasses of “TIFFTagSet” before initializing the class using
isAssignableFrom(). This adds tighter check before initializing the
class from XML DOM tree string.
Thanks,
Jay
--
Best regards, Sergey.
