The exec() method of the java.lang.Runtime class and the related ProcessBuilder.start() method can be used to invoke external programs. While running, these programs are represented by a java.lang.Process object. Like any POSIX process, this This process contains an input stream, output stream, and error stream. Because the Process object allows a Java program to communicate with its external program, the process's input stream is an OutputStream object, accessible by the Process.getOutputStream() method. Likewise, the process's output stream and error streams are both represented by InputStream objects, accessible by the Process.getInputStream() and Process.getErrorStream() methods.
...
| Code Block | ||
|---|---|---|
| ||
class StreamGobbler extends Thread {
InputStream is;
PrintStream os;
StreamGobbler(InputStream is, PrintStream os) {
this.is = is;
this.os = os;
}
public void run() {
try {
int c;
while ((c = is.read()) != -1)
os.print((char) c);
} catch (IOException x) {
// handle error
}
}
}
public class Exec {
public static void main(String[] args)
throws IOException, InterruptedException {
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("notemaker");
// Any error message?
StreamGobbler errorGobbler =
new StreamGobbler(proc.getErrorStream(), System.err);
// Any output?
StreamGobbler outputGobbler =
new StreamGobbler(proc.getInputStream(), System.out);
errorGobbler.start();
outputGobbler.start();
// Any error?
int exitVal = proc.waitFor();
errorGobbler.join(); // Handle condition where the
outputGobbler.join(); // process ends before the threads finish
}
}
|
...
FIO07-EX0: Failure to supply input to a process that never reads input from its input stream is harmless and can be beneficial. Failure to empty the output or error streams of a process that never sends output to its output or error streams is similarly harmless or even beneficial. Consequently, programs are permitted to ignore the input, output, or error streams of processes that are guaranteed not to use those streams.
Risk Assessment
Misuse of the exec() method Failure to properly manage the I/O streams of external processes can result in runtime exceptions and in DoS vulnerabilities.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8fd5f4fe5355e7a5-170201e0-47f64e72-a43fa1e6-c0300c435720d16bd6b37499"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Method | http://java.sun.com/javase/6/docs/api/java/lang/Runtime.html#exec(java.lang.String)] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1bd0a032f1af691e-84a1e3bf-4e6a46e7-86bcb2de-7ec24cfa64bb1e975097f39e"><ac:plain-text-body><![CDATA[ | [[Daconta 2000 | AA. Bibliography#Daconta 00]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1989d17b2412a08c-91e603e5-46b44dfd-b45483db-9ca1b9818f1db72ae063e379"><ac:plain-text-body><![CDATA[ | [[Daconta 2003 | AA. Bibliography#Daconta 03]] | Pitfall 1 | ]]></ac:plain-text-body></ac:structured-macro> |
...