commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Heger (JIRA)" <>
Subject [jira] [Commented] (BEANUTILS-463) Class loader vulnerability in DefaultResolver
Date Sat, 03 May 2014 18:53:15 GMT


Oliver Heger commented on BEANUTILS-463:

We had some internal discussions about this topic. Because BeanUtils is a very low-level library
and may be used widely I am reluctant to build in a change which ignores the {{class}} property
by default. This may break existing code.

BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible
to write a custom bean introspector which ignores the {{class}} property. We can implement
such an introspector and ship it with BeanUtils. In order to make it active, it has to be
registered explicitly at a {{BeanUtilsBean}} instance or the central {{BeanUtils}} object.

Do you think this is sufficient?

> Class loader vulnerability in DefaultResolver
> ---------------------------------------------
>                 Key: BEANUTILS-463
>                 URL:
>             Project: Commons BeanUtils
>          Issue Type: Improvement
>          Components: Expression Syntax
>    Affects Versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
>            Reporter: Patrick Trainor
> There is no check for the "class" keyword when getting nested properties. Please see
here (and translate it) for a more detailed explanation:

This message was sent by Atlassian JIRA

View raw message