Yes, I guess it should be prevented. Duh! On Sun, Nov 8, 2015 at 2:16 PM Mark Thomas <ma...@apache.org> wrote:
> On 08/11/2015 19:13, James Carman wrote: > > If they can execute Runtime.exec then they can execute System.setProperty > > Yes. But the point you seem to seem to be missing is that if the system > property is set such that this attack is blocked, they can't use the > attack to change the system property and unblock it. > > Mark > > > > On Sun, Nov 8, 2015 at 2:11 PM James Carman <ja...@carmanconsulting.com> > > wrote: > > > >> System.setProperty() > >> > >> > >> On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart < > thomas.neidh...@gmail.com> > >> wrote: > >> > >>> On 11/08/2015 07:51 PM, James Carman wrote: > >>>> Couldn't they use the same attack vector to set a system property > also? > >>> I > >>>> do believe that would be possible > >>> > >>> for this you need a way to execute code via a de-serialized class. > >>> Right now, the simplest way to do so is via the InvokerTransformer. > >>> > >>> There are surely other ways to do so, but if the only available way is > >>> blocked (i.e. InvokerTransformer can not be deserialized), a remote > >>> attacker cannot set a system property via this attack vector. > >>> > >>> btw. setting a system property can also be restricted by a > >>> SecurityManager. > >>> > >>> I am -1 on a programmatic interface, and for the 4.X branch I propose > to > >>> remove the serialization support completely. > >>> > >>> Thomas > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>> For additional commands, e-mail: dev-h...@commons.apache.org > >>> > >>> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
