CLASSPATH Security

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
1
down vote

favorite












On this post someone mentioned in a comment that adding .: to the PATH environment variable is a security vulnerability. Is adding .: to the CLASSPATH environment variable also a security vulnerability?




java security paths




share|improve this question


























    up vote
    1
    down vote

    favorite












    On this post someone mentioned in a comment that adding .: to the PATH environment variable is a security vulnerability. Is adding .: to the CLASSPATH environment variable also a security vulnerability?




    java security paths




    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      On this post someone mentioned in a comment that adding .: to the PATH environment variable is a security vulnerability. Is adding .: to the CLASSPATH environment variable also a security vulnerability?




      java security paths




      share|improve this question














      On this post someone mentioned in a comment that adding .: to the PATH environment variable is a security vulnerability. Is adding .: to the CLASSPATH environment variable also a security vulnerability?





      java security paths





      share|improve this question













      share|improve this question




      share|improve this question








      edited May 21 at 6:29

























      asked May 18 at 23:44









      SkippyNBS

      83




      83




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Yes, it can be a security vulnerability.



          Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.



          That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.



          To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.



          If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:



          java -cp ".:…" …


          This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "89"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1037917%2fclasspath-security%23new-answer', 'question_page');

            );

            Post as a guest

















            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote



            accepted










            Yes, it can be a security vulnerability.



            Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.



            That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.



            To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.



            If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:



            java -cp ".:…" …


            This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.






            share|improve this answer


























              up vote
              2
              down vote



              accepted










              Yes, it can be a security vulnerability.



              Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.



              That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.



              To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.



              If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:



              java -cp ".:…" …


              This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.






              share|improve this answer
























                up vote
                2
                down vote



                accepted







                up vote
                2
                down vote



                accepted






                Yes, it can be a security vulnerability.



                Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.



                That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.



                To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.



                If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:



                java -cp ".:…" …


                This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.






                share|improve this answer














                Yes, it can be a security vulnerability.



                Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.



                That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.



                To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.



                If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:



                java -cp ".:…" …


                This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited May 19 at 2:38

























                answered May 19 at 2:24









                Chai T. Rex

                3,45611132




                3,45611132






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1037917%2fclasspath-security%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    -

                    Popular posts from this blog

                    Trouble downloading packages list due to a “Hash sum mismatch” error

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 331 down vote favorite 117 When I check for updates, I get a "Failed To Download Repository Information" error. This is what comes up under details: W: Failed to fetch gzip:/var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_natty_main_source_Sources Hash Sum mismatch, E: Some index files failed to download. They have been ignored, or old ones used instead. apt share | improve this question edited Nov 12 '14 at 23:37 Braiam 49.5k 19 130 210 asked May 9 '11 at 20:55 Rob 5,300 10 26 40 add a comment  |  up vote 331 down vote favorite 117 When I check for updates, I get a "Failed To Download Repository Information" error. This is what comes up under details: W: Failed to fetch gzip:/var/lib/apt/lists/partial/us.archive.ubuntu.com_ubuntu_dists_nat...
                    Read more

                    How do so many people here on Academia.SE, and in general, afford lavish higher education programs?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 45 down vote favorite 7 I graduated last year with a BS in Computer Science. I do not come from a particularly wealthy family, (very low middle class), and was only able to afford my education via school loans/scholarships and working low-wage jobs, with no support from my family or anyone else. I realize some scholarship/loan programs extend into grad school. But I don't think those cover all costs. Now I'm lucky enough to have a decent-paying salary in industry, along with benefits and living on my own, and I'm thinking one day (sooner rather than later) I'd like to try my hand at research or continue my degree, but these things cost money, in addition to my regular living expenses. I read posts here often about academic people being in positions of choosing between these crazy research grad programs, some in Japan, or Ireland (while they currently live in the U.S./U.K.) then moving around between countries/universit...
                    Read more

                    How do I move numbers in filenames, in a batch renaming operation?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 10 down vote favorite 1 I have been trying to figure out how to rename files for the past few hours. I have 2000 files that are like this: file.1.pdb file.2.pdb file.3.pdb I would like to rename these files to something like: file.pdb.1 file.pdb.2 file.pdb.3 command-line batch-rename share | improve this question edited Mar 29 at 21:36 Eliah Kagan 79.6k 20 222 359 asked Mar 29 at 15:33 user812758 51 3 Didn't you mean bash ? – avazula Mar 29 at 15:38 4 @avazula No please read this article : en.wikipedia.org/wiki/Batch_renaming – Ali Razmdideh Mar 29 at 15:47 @PerlDuck yes ;) – Ali Razmdideh Mar 29 at 15:52 6 Possible duplicate of How to easily rename files using command line? – wjandrea Mar 29 at 16:09 2 Hey close voters...
                    Read more