struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2
Date Wed, 20 Apr 2016 09:00:04 GMT
2016-04-20 10:42 GMT+02:00 Christoph Nenning <Christoph.Nenning@lex-com.net>:
> I thought not blocking `ProcessBuilder` enables a whole lot of
> vulnerabilities. Is this risk gone when `isSequence` is set?
>
> What happens when `new ProcessBuilder` is used in a parameter name?

It won't work because using constructors matches using java.lang.Class
(that how it works) but you cannot do things like this:
"x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in
place


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message