> >> > I thought not blocking `ProcessBuilder` enables a whole lot of > >> > vulnerabilities. Is this risk gone when `isSequence` is set? > >> > > >> > What happens when `new ProcessBuilder` is used in a parameter name? > >> > >> It won't work because using constructors matches using java.lang.Class > >> (that how it works) but you cannot do things like this: > >> "x=@ProcessBuilder@create(), x.execute(aCommand)" with `isSequence` in > >> place > >> > >> > > > > alright, then I'm fine with it. > > I re-thought about that, let's cancel those votes and I will prepare > two new versions with corrected excludedClasses - it will be better :) > >
so I was convinced too early ;) This Email was scanned by Sophos Anti Virus
