struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Nenning <Christoph.Nenn...@lex-com.net>
Subject Re: struts.excludedClasses for 2.3.20.2 and 2.3.24.2
Date Wed, 20 Apr 2016 09:03:52 GMT
> > I thought not blocking `ProcessBuilder` enables a whole lot of
> > vulnerabilities. Is this risk gone when `isSequence` is set?
> >
> > What happens when `new ProcessBuilder` is used in a parameter name?
> 
> It won't work because using constructors matches using java.lang.Class
> (that how it works) but you cannot do things like this:
> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in
> place
> 
> 

alright, then I'm fine with it.


Regards,
Christoph

This Email was scanned by Sophos Anti Virus

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message