'[jira] [Comment Edited] (VELOCITY-931) SecureUberspector should block methods on ClassLoader and sub'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       velocity-dev
Subject:    [jira] [Comment Edited] (VELOCITY-931) SecureUberspector should block methods on ClassLoader and sub
From:       "Claude Brisson (Jira)" <jira () apache ! org>
Date:       2021-02-25 22:36:00
Message-ID: JIRA.13317315.1594960263000.5854.1614292560098 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/VELOCITY-931?page=com.atlassian.jira.plugi \
n.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291269#comment-17291269 ] \


Claude Brisson edited comment on VELOCITY-931 at 2/25/21, 10:35 PM:
--------------------------------------------------------------------

Merged in master.


was (Author: claude):
Merged un master.

> SecureUberspector should block methods on ClassLoader and subclasses
> --------------------------------------------------------------------
> 
> Key: VELOCITY-931
> URL: https://issues.apache.org/jira/browse/VELOCITY-931
> Project: Velocity
> Issue Type: Improvement
> Reporter: William Glass-Husain
> Assignee: William Glass-Husain
> Priority: Major
> Fix For: 2.3
> 
> 
> Currently, SecureUberspector matches classes stored with property \
> "introspector.restrict.classes", which includes ClassLoader.     It then matches \
> exact class names and blocks all methods from being called on that class. However, \
> in most cases it's actually a subclass of ClassLoader that's available in the \
> context, which under normal circumstances would not be blocked. My proposal – \
> treat this as a special case.   (Remove it from the configuration).   If the class \
> being inspected is assignable from ClassLoader, then block it.      You could make \
> an argument that all the SecureUberspector should check if the class isAssignable \
> from all configured classes, but I am concerned about possible performance \
> penalties.   I'd argue that we should hard code checks for a few special internal \
> classes but force the user to configure other specific classes themselves. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic