[
https://issues.apache.org/jira/browse/VELOCITY-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291269#comment-17291269
]
Claude Brisson edited comment on VELOCITY-931 at 2/25/21, 10:35 PM:
--------------------------------------------------------------------
Merged in master.
was (Author: claude):
Merged un master.
> SecureUberspector should block methods on ClassLoader and subclasses
> --------------------------------------------------------------------
>
> Key: VELOCITY-931
> URL: https://issues.apache.org/jira/browse/VELOCITY-931
> Project: Velocity
> Issue Type: Improvement
> Reporter: William Glass-Husain
> Assignee: William Glass-Husain
> Priority: Major
> Fix For: 2.3
>
>
> Currently, SecureUberspector matches classes stored with property
> "introspector.restrict.classes", which includes ClassLoader. It then
> matches exact class names and blocks all methods from being called on that
> class.
> However, in most cases it's actually a subclass of ClassLoader that's
> available in the context, which under normal circumstances would not be
> blocked.
> My proposal – treat this as a special case. (Remove it from the
> configuration). If the class being inspected is assignable from ClassLoader,
> then block it.
> You could make an argument that all the SecureUberspector should check if the
> class isAssignable from all configured classes, but I am concerned about
> possible performance penalties. I'd argue that we should hard code checks
> for a few special internal classes but force the user to configure other
> specific classes themselves.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org
