[jira] [Created] (OGNL-23) Class.forName() usage is malicious inside OSGi

Simone Tripodi (JIRA) Sat, 24 Sep 2011 14:44:49 -0700

Class.forName() usage is malicious inside OSGi
----------------------------------------------


                 Key: OGNL-23
                 URL: https://issues.apache.org/jira/browse/OGNL-23
             Project: OGNL
          Issue Type: Bug
            Reporter: Simone Tripodi


{{Class.forName()}} could make OGNL unusable 
[http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/|inside OSGi].
The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
setting a custom {{ClassLoader}

Classes affected by that issues are:
 * {{org.apache.commons.ognl.DefaultClassResolver}}
 * {{org.apache.commons.ognl.OgnlRuntime}}
The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (OGNL-23) Class.forName() usage is malicious inside OSGi

Reply via email to