Is it possible for me to structure a Java source file such that, when compiled with javac (but not invoked with java) it will run arbitrary code?
Or can I assume that it's safe to run arbitrary source files through javac?
Asked
Active
Viewed 141 times
1
cdmckay
- 31,832
- 25
- 83
- 114
-
1I would put my money on the "it's safe" answer. If it's not safe to do this, then that's a security hole in `javac`. – Matt Ball Mar 10 '13 at 18:34
-
@MattBall: has such a security hole ever existed? – cdmckay Mar 10 '13 at 18:35
-
Couldn't say, off the top of my head. Java's been around for a long time and is a _huge_ code base which has gone through drastic changes. – Matt Ball Mar 10 '13 at 18:35
-
I know of no such "hole", but I wouldn't bet my life that there isn't one. – Hot Licks Mar 10 '13 at 18:40
2 Answers
4
I've never actually used this feature, but javac can run annotation processors -- which I believe are jut arbitrary code. The processors have to be in the processor path, which by default is just the user class path. So depending on your use case, I think that yes, this is a security concern to watch out for. You'll probably want to make sure annotation processing is disabled with -proc:none, or take some other precaution.
Paŭlo Ebermann
- 73,284
- 20
- 146
- 210
yshavit
- 42,327
- 7
- 87
- 124
1
It is not possible for javac to execute Java, regardless of how the source files are set up. All it is going to do is compile java files into class files.
Daedalus
- 1,667
- 10
- 12