[OpenJDK 2D-Dev] [9] RFR JDK-8160455 : KSS : class.forName issue in TIFFImageMetadata.java
Sergey Bylokhov
Sergey.Bylokhov at oracle.com
Thu Aug 4 15:37:29 UTC 2016
Is it possible that TIFFTagSet will be extended by the user and passed
via xml? In this case will we able to load the user's class via forName?
On 04.08.16 18:31, Philip Race wrote:
> +1
>
> -phil
>
> On 8/4/16, 4:55 AM, Jayathirth D V wrote:
>>
>> Hi,
>>
>>
>>
>> Please review the following fix in JDK9 at your convenience:
>>
>>
>>
>> Bug : https://bugs.openjdk.java.net/browse/JDK-8160455
>>
>> Webrev : http://cr.openjdk.java.net/~jdv/8160455/webrev.00/
>> <http://cr.openjdk.java.net/%7Ejdv/8160455/webrev.00/>
>>
>>
>>
>> Root cause : We are directly getting string present in XML DOM tree
>> from attribute “tagSets” and creating class from it using
>> class.forName(). XML DOM tree string can be an invalid also which we
>> don’t check.
>>
>> Solution : Verify whether the string from XML DOM tree maps to any of
>> the subclasses of “TIFFTagSet” before initializing the class using
>> isAssignableFrom(). This adds tighter check before initializing the
>> class from XML DOM tree string.
>>
>>
>>
>> Thanks,
>>
>> Jay
>>
--
Best regards, Sergey.
More information about the 2d-dev
mailing list