commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trevor Harrison" <trevorsharri...@gmail.com>
Subject JEXL security issue with system properties
Date Thu, 04 Oct 2007 20:46:19 GMT
It seems like JEXL allows scripts to access some jvm system
properties, via java.lang.Integer's getInteger( String sys_prop_name )
method:

i = 0; j = i.getInteger("sun.arch.data.model");

Getting the value of system properties that are completely numbers
might not be that big of an issue, but it brings up the question of
other system properties leaking out.

I've eyeballed java.lang.String, and it doesn't seem to have a similar method.

While looking for other ways to 'break' out, I started thinking about
classloaders.  I haven't succeeded in getting a classloader yet in a
script, but if I could, it would be bad for my intended usage of JEXL
(as a fairly secure way of executing user supplied formulas).

// this doesn't work
i = 0;
intClazz = i.class;
cl = intClazz.getClassLoader();  // this fails, returns a null
clazz = cl.loadClass( \"java.lang.System\" );
m = clazz.getMethod(\"getProperties\", null);
p = m.invoke(null, null);

I haven't had time to poke into the guts of JEXL yet, so does anyone
know if the failure to get a classloader is intentional, or just an
accidental feature?

-Trevor

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message