2016-04-20 10:42 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: > I thought not blocking `ProcessBuilder` enables a whole lot of > vulnerabilities. Is this risk gone when `isSequence` is set? > > What happens when `new ProcessBuilder` is used in a parameter name?
It won't work because using constructors matches using java.lang.Class (that how it works) but you cannot do things like this: "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in place Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
