[
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133277#comment-13133277
]
Simone Tripodi commented on OGNL-23:
------------------------------------
This is simply amazing Adrian, thanks for your contribution!
IIUC how OGNL works, what is still a TODO is letting users defining their own
ClassLoader to load external entities loaded from different loaders. Does it
make sense?
In the meanwhile I'll apply your patch that's definitively better than the
current implementation, thanks for your effort!
Simo
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
> Key: OGNL-23
> URL: https://issues.apache.org/jira/browse/OGNL-23
> Project: OGNL
> Issue Type: Bug
> Reporter: Simone Tripodi
> Assignee: Simone Tripodi
> Attachments: patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
> * {{org.apache.commons.ognl.DefaultClassResolver}}
> * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if
> loading {{java.util.LinkedHashMap}} in that way should be safe.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
