An alternative to this patch is to implement stricter input validation on the class name. I could not find any explicit restriction on the characters of a class. Empirically, it seems that [A-Za-z0-9_] would be sufficient to cover the refpolicy and Android classes. A regex matching would have a performance impact here, this is why the strchr solution was sent. Let me know if you’d prefer to explore the regex alternative. Thanks
