[ajug-members] run a unix cmd from a j2ee container?
Dean H. Saxe
dean at fullfrontalnerdity.com
Wed Jun 4 11:38:07 EDT 2008
Runtime.exec() would work, but be wary of the security considerations
when using this. You are effectively allowing a user (if its a
servlet calling this, for example) to execute local code with whatever
permissions the JVM is running with on the local OS. Danger Will
Robinson! This is called command injection:
http://www.owasp.org/index.php/OS_Command_Injection
Note that Java doesn't execute a shell directly. But, if you do
execute a shell and pass commands you have a much more serious
situation which could allow arbitrary shell command execution:
String[] cmds = new String[]{"/bin/sh", "-c", "finger " +
request.getParameter("username") };
Runtime.getRuntime().exec(cmds);
What happens when the username is "dean; rm -rf /". Oops.
My advice to you is not to allow the execution of commands directly
based on user input if at all possible.
-dhs
Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"Great spirits have often encountered violent opposition from weak
minds."
--Einstein
On Jun 4, 2008, at 10:51 AM, Curt Smith wrote:
> Might folks recommend wrappers or tools that aid in running scripts
> from J2ee components. Probably an MDB but may be from servlets.
>
> I'm guessing that JNI / ProcessBuilder will probably work under
> weblogic 9/10 but maybe there's tactics you've found to work?
>
> Thanks, Curt
> _______________________________________________
> ajug-members mailing list
> ajug-members at ajug.org
> http://www.ajug.org/mailman/listinfo/ajug-members
More information about the ajug-members
mailing list