Community
Participate
Working Groups
Build Identifier: 3.6.0.v20100517 The file org.eclipse.osgi.baseadaptor.bundlefile.BundleFile builds up a command string taken from a system property (osgi.filepermissions.command or org.osgi.framework.command.execpermission) and then executes it using Runtime.getRuntime().exec. This is a potential security vulnerability, allowing an attacker to have the program execute commands with a privilege that the attacker normally wouldn't have. Reproducible: Didn't try Steps to Reproduce: Found after scanning through the source code but by setting the system properties the correct as described (and by looking through the code, it could happen when native code is copied to the cache).
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. -- The automated Eclipse Genie.
This bug was marked as stalebug a while ago. Marking as worksforme. If this report is still relevant for the current release, please reopen and remove the stalebug whiteboard tag.
