[prev in list] [next in list] [prev in thread] [next in thread]
List: velocity-dev
Subject: [jira] [Comment Edited] (VELOCITY-931) SecureUberspector should block methods on ClassLoader and sub
From: "Claude Brisson (Jira)" <jira () apache ! org>
Date: 2021-02-25 22:36:00
Message-ID: JIRA.13317315.1594960263000.5854.1614292560098 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/VELOCITY-931?page=com.atlassian.jira.plugi \
n.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291269#comment-17291269 ] \
Claude Brisson edited comment on VELOCITY-931 at 2/25/21, 10:35 PM:
--------------------------------------------------------------------
Merged in master.
was (Author: claude):
Merged un master.
> SecureUberspector should block methods on ClassLoader and subclasses
> --------------------------------------------------------------------
>
> Key: VELOCITY-931
> URL: https://issues.apache.org/jira/browse/VELOCITY-931
> Project: Velocity
> Issue Type: Improvement
> Reporter: William Glass-Husain
> Assignee: William Glass-Husain
> Priority: Major
> Fix For: 2.3
>
>
> Currently, SecureUberspector matches classes stored with property \
> "introspector.restrict.classes", which includes ClassLoader. It then matches \
> exact class names and blocks all methods from being called on that class. However, \
> in most cases it's actually a subclass of ClassLoader that's available in the \
> context, which under normal circumstances would not be blocked. My proposal – \
> treat this as a special case. (Remove it from the configuration). If the class \
> being inspected is assignable from ClassLoader, then block it. You could make \
> an argument that all the SecureUberspector should check if the class isAssignable \
> from all configured classes, but I am concerned about possible performance \
> penalties. I'd argue that we should hard code checks for a few special internal \
> classes but force the user to configure other specific classes themselves.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic