Runtime.exec can be prevented though

On Sun, Nov 8, 2015 at 2:31 PM Thomas Neidhart <thomas.neidh...@gmail.com>
wrote:

> On 11/08/2015 08:20 PM, James Carman wrote:
> > I think this entire thing can be prevented with a security manager and a
> > proper policy in place. Nobody does that, though
>
> You cannot prevent the use of reflection for public methods via a
> SecurityManager.
>
> If you then look at the different provided payloads you can see that an
> attacker can inject arbitrary bytecode that is being loaded.
>
> How would you prevent that such code is able to do anything harmful,
> especially considering that it is being executed in the security context
> of some trusted component?
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Reply via email to