Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 329064

Summary: Command Injection - BundleFile is executing arbitrary commands taken from a system property.
Product: [Eclipse Project] Equinox Reporter: jonas.borjesson
Component: FrameworkAssignee: equinox.framework-inbox <equinox.framework-inbox>
Status: RESOLVED WORKSFORME QA Contact:
Severity: normal    
Priority: P3 CC: alexander.rockel, lars-goran.forsberg
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard: stalebug

Description jonas.borjesson CLA 2010-10-29 12:48:41 EDT 
Build Identifier: 3.6.0.v20100517

The file org.eclipse.osgi.baseadaptor.bundlefile.BundleFile builds up a command string taken from a system property (osgi.filepermissions.command or org.osgi.framework.command.execpermission) and then executes it using Runtime.getRuntime().exec. This is a potential security vulnerability, allowing an attacker to have the program execute commands with a privilege that the attacker normally wouldn't have.



Reproducible: Didn't try

Steps to Reproduce:
Found after scanning through the source code but by setting the system properties the correct as described (and by looking through the code, it could happen when native code is copied to the cache).
Comment 1 Eclipse Genie CLA 2018-10-15 10:20:19 EDT 
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

--
The automated Eclipse Genie.
Comment 2 Lars Vogel CLA 2019-09-04 01:53:37 EDT 
This bug was marked as stalebug a while ago. Marking as worksforme.

If this report is still relevant for the current release, please reopen and remove the stalebug whiteboard tag.