...
Every Java application has a single instance of class Runtime that allows the application to interface with the environment in which the application is running. The current runtime can be obtained from the Runtime.getRuntime() method. The semantics of Runtime.exec() are poorly defined, so it 's is best not to rely on its behavior any more than necessary, but typically it invokes the command directly without a shell. If you want a shell, you can use /bin/sh -c on POSIX or cmd.exe on Windows. The variants of exec() that take the command line as a single string split it using a StringTokenizer. On Windows, these tokens are concatenated back into a single argument string before being executed.
...
Related Guidelines
ENV03-C. Sanitize the environment when invoking external programs | |
| |
ENV03-CPP. Sanitize the environment when invoking external programs | |
| CERT Perl Secure Coding Standard | IDS34-PL. Do not pass untrusted, unsanitized data to a command interpreter |
Injection [RST] | |
CWE-78, Improper neutralization of special elements used in an OS command ("OS command injection") |
...
Chapter 5, "Handling Input," section "Command Injection" | |
| [OWASP 2005] | A Guide to Building Secure Web Applications and Web Services |
| [Permissions 2008] | Permissions in the Java™ SE 6 Development Kit (JDK) |
...