If they can execute Runtime.exec then they can execute System.setProperty On Sun, Nov 8, 2015 at 2:11 PM James Carman <ja...@carmanconsulting.com> wrote:
> System.setProperty() > > > On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> On 11/08/2015 07:51 PM, James Carman wrote: >> > Couldn't they use the same attack vector to set a system property also? >> I >> > do believe that would be possible >> >> for this you need a way to execute code via a de-serialized class. >> Right now, the simplest way to do so is via the InvokerTransformer. >> >> There are surely other ways to do so, but if the only available way is >> blocked (i.e. InvokerTransformer can not be deserialized), a remote >> attacker cannot set a system property via this attack vector. >> >> btw. setting a system property can also be restricted by a >> SecurityManager. >> >> I am -1 on a programmatic interface, and for the 4.X branch I propose to >> remove the serialization support completely. >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >>