SecurityManager is an ancient part and heavily slows down the JVM. That’s the reason why almost nobody is using it.
LieGrue, strub > Am 08.11.2015 um 20:20 schrieb James Carman <[email protected]>: > > I think this entire thing can be prevented with a security manager and a > proper policy in place. Nobody does that, though > > On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <[email protected]> > wrote: > >> On 11/08/2015 07:51 PM, James Carman wrote: >>> Couldn't they use the same attack vector to set a system property also? I >>> do believe that would be possible >> >> for this you need a way to execute code via a de-serialized class. >> Right now, the simplest way to do so is via the InvokerTransformer. >> >> There are surely other ways to do so, but if the only available way is >> blocked (i.e. InvokerTransformer can not be deserialized), a remote >> attacker cannot set a system property via this attack vector. >> >> btw. setting a system property can also be restricted by a SecurityManager. >> >> I am -1 on a programmatic interface, and for the 4.X branch I propose to >> remove the serialization support completely. >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
