in velocity-engine-core/src/main/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java [90:165]
public boolean checkObjectExecutePermission(Class<?> clazz, String methodName)
{
/*
* check for wait and notify
*/
if (methodName != null &&
(methodName.equals("wait") || methodName.equals("notify")) )
{
return false;
}
/*
* Always allow the most common classes - Number, Boolean and String
*/
else if (Number.class.isAssignableFrom(clazz))
{
return true;
}
else if (Boolean.class.isAssignableFrom(clazz))
{
return true;
}
else if (String.class.isAssignableFrom(clazz))
{
return true;
}
/*
* Always allow Class.getName()
*/
else if (Class.class.isAssignableFrom(clazz) &&
(methodName != null) && methodName.equals("getName"))
{
return true;
}
/*
* Always disallow ClassLoader, Thread and subclasses
*/
if (ClassLoader.class.isAssignableFrom(clazz) ||
Thread.class.isAssignableFrom(clazz))
{
return false;
}
/*
* check the classname (minus any array info)
* whether it matches disallowed classes or packages
*/
String className = clazz.getName();
if (className.startsWith("[L") && className.endsWith(";"))
{
className = className.substring(2, className.length() - 1);
}
int dotPos = className.lastIndexOf('.');
String packageName = (dotPos == -1) ? "" : className.substring(0, dotPos);
for (String badPackage : badPackages)
{
if (packageName.equals(badPackage))
{
return false;
}
}
for (String badClass : badClasses)
{
if (className.equals(badClass))
{
return false;
}
}
return true;
}