[jira] [Commented] (BEANUTILS-463) Class loader vulnerability in DefaultResolver

Yoshitaka Kawashima (JIRA) Wed, 30 Apr 2014 20:57:07 -0700

    [ 
https://issues.apache.org/jira/browse/BEANUTILS-463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13986325#comment-13986325
 ]


Yoshitaka Kawashima commented on BEANUTILS-463:
-----------------------------------------------

I wrote this article.
http://qiita.com/kawasima/items/670d2591bc8fea19dc1d

Considering CVE-2014-0114, It'd be great if  the "class" keyword don't be 
regarded as a bean property in DefaultResolver.
As follows:
https://gist.github.com/nakamura-to/11347570

But considering the wide-ranging impact, I think it's okay to build the 
alternative resolver like the above one  into the commons-beanutils.

> Class loader vulnerability in DefaultResolver
> ---------------------------------------------
>
>                 Key: BEANUTILS-463
>                 URL: https://issues.apache.org/jira/browse/BEANUTILS-463
>             Project: Commons BeanUtils
>          Issue Type: Improvement
>          Components: Expression Syntax
>    Affects Versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
>            Reporter: Patrick Trainor
>
> There is no check for the "class" keyword when getting nested properties. 
> Please see here (and translate it) for a more detailed explanation:
> http://qiita.com/kawasima/items/670d2591bc8fea19dc1d



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (BEANUTILS-463) Class loader vulnerability in DefaultResolver

Reply via email to