On 11/08/2015 08:20 PM, James Carman wrote: > I think this entire thing can be prevented with a security manager and a > proper policy in place. Nobody does that, though
You cannot prevent the use of reflection for public methods via a SecurityManager. If you then look at the different provided payloads you can see that an attacker can inject arbitrary bytecode that is being loaded. How would you prevent that such code is able to do anything harmful, especially considering that it is being executed in the security context of some trusted component? Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
