[
https://issues.apache.org/jira/browse/OGNL-23?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13133655#comment-13133655
]
Simone Tripodi commented on OGNL-23:
------------------------------------
Hi Adrian,
what is amazing is how fast you've been on providing not only one, but even two
solutions!
Commons OGNL is one on top of my priorities right now, the Apache Struts and
MyBatis communities are waiting for us!
All the best,
Simo
> Class.forName() usage is malicious inside OSGi
> ----------------------------------------------
>
> Key: OGNL-23
> URL: https://issues.apache.org/jira/browse/OGNL-23
> Project: OGNL
> Issue Type: Bug
> Reporter: Simone Tripodi
> Assignee: Simone Tripodi
> Attachments: patch-OGNL23-v2.txt, patch-OGNL23.txt
>
>
> {{Class.forName()}} could make OGNL unusable [inside
> OSGi|http://olegz.wordpress.com/2008/11/05/osgi-and-classforname/].
> The fix would involve the {{ClassLoader.loadClass()}} method, allowing users
> setting a custom {{ClassLoader}
> Classes affected by that issues are:
> * {{org.apache.commons.ognl.DefaultClassResolver}}
> * {{org.apache.commons.ognl.OgnlRuntime}}
> The {{org.apache.commons.ognl.ASTMap}} class is affected as well, even if
> loading {{java.util.LinkedHashMap}} in that way should be safe.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
