2016-04-20 11:03 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> > I thought not blocking `ProcessBuilder` enables a whole lot of >> > vulnerabilities. Is this risk gone when `isSequence` is set? >> > >> > What happens when `new ProcessBuilder` is used in a parameter name? >> >> It won't work because using constructors matches using java.lang.Class >> (that how it works) but you cannot do things like this: >> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in >> place >> >> > > alright, then I'm fine with it.
I re-thought about that, let's cancel those votes and I will prepare two new versions with corrected excludedClasses - it will be better :) Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
