[jira] [Updated] (OGNL-23) Class.forName() usage is malicious inside OSGi

Sat, 24 Sep 2011 14:45:53 -0700 

     [ 
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simone Tripodi updated OGNL-23:
-------------------------------

    Description: 
{{Class.forName()}} could make OGNL unusable [inside 
OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
setting a custom {{ClassLoader}

Classes affected by that issues are:
 * {{org.apache.commons.ognl.DefaultClassResolver}}
 * {{org.apache.commons.ognl.OgnlRuntime}}

The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
loading {{java.util.LinkedHashMap}} in that way should be safe.

  was:
{{Class.forName()}} could make OGNL unusable 
[http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/|inside OSGi].
The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
setting a custom {{ClassLoader}

Classes affected by that issues are:
 * {{org.apache.commons.ognl.DefaultClassResolver}}
 * {{org.apache.commons.ognl.OgnlRuntime}}
The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
loading {{java.util.LinkedHashMap}} in that way should be safe.


> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
>                 Key: OGNL-23
>                 URL: https://issues.apache.org/jira/browse/OGNL-23
>             Project: OGNL
>          Issue Type: Bug
>            Reporter: Simone Tripodi
>
> {{Class.forName()}} could make OGNL unusable [inside 
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users 
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
>  * {{org.apache.commons.ognl.DefaultClassResolver}}
>  * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if 
> loading {{java.util.LinkedHashMap}} in that way should be safe.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to