[
https://issues.apache.org/jira/browse/IO-461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14378520#comment-14378520
]
Bernd Eckenfels commented on IO-461:
------------------------------------
Just for the record, openProcessStream(String[] params) forwards the String
array 1:1 to Runtime.getRuntime().exec(params), so this API is as dangerous or
not dangerous to use like the normal system class. Iff there is a vulnerability
then it is in the application code. (there are executor frameworks which are
doing much more wrong :)
> Veracode scan detected OS command injection vulnerability in
> commons-io-1.2.jar - FileSystemUtils.java:357
> ----------------------------------------------------------------------------------------------------------
>
> Key: IO-461
> URL: https://issues.apache.org/jira/browse/IO-461
> Project: Commons IO
> Issue Type: Bug
> Affects Versions: 1.2
> Reporter: Arkadeep Kundu
>
> Commons IO is embedded in EMC Corporation's DFS 6.7SP1.
> We performed Veracode scan for DFS 6.7SP1 and scan reported that code in
> commons-io-1.2.jar - FileSystemUtils.java:357 (no further details) is
> POSSIBLY vulnerable for OS command injection attacks.
> Need update on this from Apache side.
> It it really vulnerable? if yes, is it fixed in some future version?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
