P5
There are two issues.
(1) No validation in Source::setSystemId​(String systemId)
The correctness of a SystemId is not enforced in Source::setSystemId​(String systemId), that made it possible to pass an Illegal SystemId through a Source object to TransformerFactory.
(2) No validation when computing the classname
The implementation of TransformerFactory does not validate the SystemId it gets from a Source. When the SystemId is incorrect, it can result in an illegal classname. This is manifested when the default Java version is upgraded higher, e.g. from Java 1.1 to Java 1.5.
(1) No validation in Source::setSystemId​(String systemId)
The correctness of a SystemId is not enforced in Source::setSystemId​(String systemId), that made it possible to pass an Illegal SystemId through a Source object to TransformerFactory.
(2) No validation when computing the classname
The implementation of TransformerFactory does not validate the SystemId it gets from a Source. When the SystemId is incorrect, it can result in an illegal classname. This is manifested when the default Java version is upgraded higher, e.g. from Java 1.1 to Java 1.5.
- relates to
-
JDK-8163121 Update Commons BCEL to Version 6.0
-
- Resolved
-