1

On this post someone mentioned in a comment that adding .: to the PATH environment variable is a security vulnerability. Is adding .: to the CLASSPATH environment variable also a security vulnerability?

SkippyNBS
  • 113

1 Answers1

2

Yes, it can be a security vulnerability.

Putting .: at the front of CLASSPATH means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH paths. This means that .class files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class exists, it will be used instead of the standard String class.

That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.

To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.

If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH and use the -cp argument to java instead, as in:

java -cp ".:…" …

This completely avoids affecting other Java programs through the CLASSPATH environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.

Chai T. Rex
  • 5,193