From user-return-20096-apmail-commons-user-archive=commons.apache.org@commons.apache.org Fri Oct 26 08:36:33 2007 Return-Path: Delivered-To: apmail-commons-user-archive@www.apache.org Received: (qmail 30548 invoked from network); 26 Oct 2007 08:36:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Oct 2007 08:36:32 -0000 Received: (qmail 17440 invoked by uid 500); 26 Oct 2007 08:36:15 -0000 Delivered-To: apmail-commons-user-archive@commons.apache.org Received: (qmail 17388 invoked by uid 500); 26 Oct 2007 08:36:15 -0000 Mailing-List: contact user-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Jakarta Commons Users List" Delivered-To: mailing list user@commons.apache.org Received: (qmail 17379 invoked by uid 99); 26 Oct 2007 08:36:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Oct 2007 01:36:15 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [209.85.146.183] (HELO wa-out-1112.google.com) (209.85.146.183) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Oct 2007 08:36:19 +0000 Received: by wa-out-1112.google.com with SMTP id k34so955800wah for ; Fri, 26 Oct 2007 01:35:46 -0700 (PDT) Received: by 10.114.78.1 with SMTP id a1mr3171044wab.1193387746112; Fri, 26 Oct 2007 01:35:46 -0700 (PDT) Received: by 10.115.111.3 with HTTP; Fri, 26 Oct 2007 01:35:46 -0700 (PDT) Message-ID: <935068bf0710260135x6f3609by4327b4e3de9b6525@mail.gmail.com> Date: Fri, 26 Oct 2007 18:35:46 +1000 From: "Dion Gillard" To: "Jakarta Commons Users List" Subject: Re: JEXL security issue with system properties In-Reply-To: <1a58bb140710050842p201aa668l557026e120cce632@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1a58bb140710041346h5f5589e6j7a02e73607b177c8@mail.gmail.com> <1a58bb140710050842p201aa668l557026e120cce632@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org JEXL doesn't place any security restrictions on what you can do with the script itself. On 10/6/07, Trevor Harrison wrote: > Replying to myself: > > On 10/4/07, Trevor Harrison wrote: > > While looking for other ways to 'break' out, I started thinking about > > classloaders. I haven't succeeded in getting a classloader yet in a > > script, but if I could, it would be bad for my intended usage of JEXL > > (as a fairly secure way of executing user supplied formulas). > > > > // this doesn't work > > cl = intClazz.getClassLoader(); // this fails, returns a null > > Well, still not sure why that method is returning a null for the > classloader, but if I call (the much simpler) clazz.forName(), I can > get a reference to a class: > > i = 0; > intClazz = i.class; > clazz = intClazz.forName("java.lang.System"); > m = clazz.getMethod("getProperties", null); > p = m.invoke(null, null); > > which successfully gets me the system properties. Which is probably > the least of my worries, considering I could do something like: > > i = 0; > intClazz = i.class; > clazz = intClazz.forName("java.io.File"); > m = clazz.getMethod("listRoots", null); > roots = m.invoke(null, null); > files = roots[0].listFiles(); > foreach( file in files ) > { > file.delete(); > } > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@commons.apache.org > For additional commands, e-mail: user-help@commons.apache.org > > -- dIon Gillard Rule #131 of Acquisition: Information is Profit. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@commons.apache.org For additional commands, e-mail: user-help@commons.apache.org