I think this entire thing can be prevented with a security manager and a proper policy in place. Nobody does that, though
On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <thomas.neidh...@gmail.com> wrote: > On 11/08/2015 07:51 PM, James Carman wrote: > > Couldn't they use the same attack vector to set a system property also? I > > do believe that would be possible > > for this you need a way to execute code via a de-serialized class. > Right now, the simplest way to do so is via the InvokerTransformer. > > There are surely other ways to do so, but if the only available way is > blocked (i.e. InvokerTransformer can not be deserialized), a remote > attacker cannot set a system property via this attack vector. > > btw. setting a system property can also be restricted by a SecurityManager. > > I am -1 on a programmatic interface, and for the 4.X branch I propose to > remove the serialization support completely. > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >