Suppose I have the following:
public class ForNameTest {
public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException, SecurityException {
final String s = "java.lang.Integer";
Object test = Class.forName(s).getConstructors()[0].newInstance(222);
System.err.println(test);
}
}
In this code I make an object from the String s whose value is known at compile time, so I believe this code is guaranteed to be free from exploits. Is there any value that "s" could take that would execute arbitrary code? "s" can contain the code that is desired, if desired.
Aucun commentaire:
Enregistrer un commentaire