Spring blacklist "module" property for "class" to mitigate Spring4Shell

In CachedIntrospectionResults there area there is a small snippet that blacklists 2 properties

            if (Class.class == beanClass &&
                    ("classLoader".equals(pd.getName()) ||  "protectionDomain".equals(pd.getName()))) {
                // Ignore Class.getClassLoader() and getProtectionDomain() methods - nobody needs to bind to those
                continue;
            }

btw - Looks like comment is no longer valid as "exploiters" are to one that "needs to bind to those - so its not nobody ;) Exploit is using Java9+ class.module property to access classloader instances (tomcat specific ones). I think that "module" should be blacklisted as well here. Code would be compatible backwards.

Comment From: bclozel

The code snippet you're showing is outdated. As explained in the issue template, if you bevieve you've found a security issue, this should be disclosed responsibly through secure channels. This is the kind of behavior that triggers 0day exploits for open source projects.