Cesar Hernandez created VELOCITY-941:
----------------------------------------

             Summary: 1.7.x backport for SecureUberspector should block methods 
on ClassLoader and subclasses
                 Key: VELOCITY-941
                 URL: https://issues.apache.org/jira/browse/VELOCITY-941
             Project: Velocity
          Issue Type: Improvement
            Reporter: Cesar Hernandez
            Assignee: William Glass-Husain
             Fix For: 2.3


Currently, SecureUberspector matches classes stored with property 
"introspector.restrict.classes", which includes ClassLoader.   It then matches 
exact class names and blocks all methods from being called on that class.

However, in most cases it's actually a subclass of ClassLoader that's available 
in the context, which under normal circumstances would not be blocked.

My proposal – treat this as a special case.  (Remove it from the 
configuration).  If the class being inspected is assignable from ClassLoader, 
then block it.   

You could make an argument that all the SecureUberspector should check if the 
class isAssignable from all configured classes, but I am concerned about 
possible performance penalties.  I'd argue that we should hard code checks for 
a few special internal classes but force the user to configure other specific 
classes themselves.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to