Runtime.exec can be prevented though On Sun, Nov 8, 2015 at 2:31 PM Thomas Neidhart <thomas.neidh...@gmail.com> wrote:
> On 11/08/2015 08:20 PM, James Carman wrote: > > I think this entire thing can be prevented with a security manager and a > > proper policy in place. Nobody does that, though > > You cannot prevent the use of reflection for public methods via a > SecurityManager. > > If you then look at the different provided payloads you can see that an > attacker can inject arbitrary bytecode that is being loaded. > > How would you prevent that such code is able to do anything harmful, > especially considering that it is being executed in the security context > of some trusted component? > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >