Replying to myself:
On 10/4/07, Trevor Harrison <[EMAIL PROTECTED]> wrote:
> While looking for other ways to 'break' out, I started thinking about
> classloaders. I haven't succeeded in getting a classloader yet in a
> script, but if I could, it would be bad for my intended usage of JEXL
> (as a fairly secure way of executing user supplied formulas).
>
> // this doesn't work
> cl = intClazz.getClassLoader(); // this fails, returns a null
Well, still not sure why that method is returning a null for the
classloader, but if I call (the much simpler) clazz.forName(), I can
get a reference to a class:
i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.lang.System");
m = clazz.getMethod("getProperties", null);
p = m.invoke(null, null);
which successfully gets me the system properties. Which is probably
the least of my worries, considering I could do something like:
i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.io.File");
m = clazz.getMethod("listRoots", null);
roots = m.invoke(null, null);
files = roots[0].listFiles();
foreach( file in files )
{
file.delete();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
