wrprice opened a new pull request, #374:
URL: https://github.com/apache/commons-jexl/pull/374
`ClassTool.isExported(Class)` attempts to check, on Java 9+, whether the
package
containing the class is _exported_ per the Java Module System. A package
must at
least be exported in order for its `public` members to be *read* via
reflection by
another package. It uses reflection to access the Java 9+ APIs so that JEXL
can
still run on Java 8, and the check is bypassed in this case.
The issue was the use of `Module.isExported(String)`, which accepts only a
package
name. This method is defined to return `true` if and only if the named
package is
_unconditionally_ exported, i.e. to any module that wants to read it. But
Java also
supports _qualified_ exports, where a module can export a package **only**
to one
or more specifically named other modules; this is a mechanism for
least-privilege
access. For example:
module org.example.module {
exports org.example.module.api; // unqualified or unconditional
exports org.example.module.scripting to org.apache.commons.jexl3; //
qualified
}
JEXL 3.5.0 would accept classes from the `o.e.m.api` package in the above
example, but
reject classes in `o.e.m.scripting` even though Java would permit access to
the JEXL module.
The fix is to use a different overload: `Module.isExported(String, Module)`
passing JEXL's
own module as the 2nd method parameter. This continues to return `true` for
the unqualified
or unconditional exports, but now also returns `true` for the qualified form
as well.
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
Thanks for your contribution to [Apache
Commons](https://commons.apache.org/)! Your help is appreciated!
Before you push a pull request, review this list:
- [X] Read the [contribution guidelines](CONTRIBUTING.md) for this project.
- [ ] Read the [ASF Generative Tooling
Guidance](https://www.apache.org/legal/generative-tooling.html) if you use
Artificial Intelligence (AI).
- [ ] I used AI to create any part of, or all of, this pull request.
- [X] Run a successful build using the default
[Maven](https://maven.apache.org/) goal with `mvn`; that's `mvn` on the command
line by itself.
- [ ] Write unit tests that match behavioral changes, where the tests fail
if the changes to the runtime are not applied. This may not always be possible,
but it is a best-practice.
- [X] Write a pull request description that is detailed enough to understand
what the pull request does, how, and why.
- [X] Each commit in the pull request should have a meaningful subject line
and body. Note that a maintainer may squash commits during the merge process.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
