How did we get to the point where someone could invoke arbitrary bytecode? On Sun, Nov 8, 2015 at 2:47 PM James Carman <ja...@carmanconsulting.com> wrote:
> Runtime.exec can be prevented though > > On Sun, Nov 8, 2015 at 2:31 PM Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> On 11/08/2015 08:20 PM, James Carman wrote: >> > I think this entire thing can be prevented with a security manager and a >> > proper policy in place. Nobody does that, though >> >> You cannot prevent the use of reflection for public methods via a >> SecurityManager. >> >> If you then look at the different provided payloads you can see that an >> attacker can inject arbitrary bytecode that is being loaded. >> >> How would you prevent that such code is able to do anything harmful, >> especially considering that it is being executed in the security context >> of some trusted component? >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >>
