While I totally agree with you thatĀ org.apache.devicemap.cmd.Main can and
should live somewhere else, it is in no way, shape, or form a security risk.
There is no 'shell' in there.
From: Werner Keil <[email protected]>
To: [email protected]
Sent: Thursday, January 8, 2015 8:27 AM
Subject: Separate "Console" from Java Client
Hi,
As discussed mainly here in JIRA
https://issues.apache.org/jira/browse/DMAP-54 it seems advisable to
separate the "Console" (Main class) from the actual Java Client.
An optional W3C module on top of it already suggests bit of modularization,
so a small optional module (pretty much similar to the "Console Example"
which is the actual subject of DMAP-54) would further improve this.
Most importantly baking a console shell into the client library poses a
security risk because it requires little more than a batch or shell script
to run UA queries against that and it runs in a Java SE context. All known
Java vulnerabilities of the last months and years affect Java SE in a
standalone/desktop environment, a proper EE container is usually well
protected as well as code running inside it. While a JAR that exposes
console functionality may be abused via scripts much more easily.
Regards,
Werner
