On this post someone mentioned in a comment that adding .:
to the PATH
environment variable is a security vulnerability. Is adding .:
to the CLASSPATH
environment variable also a security vulnerability?

- 113
1 Answers
Yes, it can be a security vulnerability.
Putting .:
at the front of CLASSPATH
means that Java uses classes under the current directory before bothering to search the rest of the CLASSPATH
paths. This means that .class
files in the current directory or its subdirectories will be used in place of just about any class or interface. For example, if the file ./java/lang/String.class
exists, it will be used instead of the standard String
class.
That means that if you're not paying attention to what the current directory is when you run a Java program, the program might load malicious classes in the place of just about any class whatsoever.
To save yourself the effort of strenuously checking the current directory every time you ever run a Java program, you shouldn't set the system to do that by default.
If you're going to use classes under the current directory when you run a particular Java program, you should generally skip setting CLASSPATH
and use the -cp
argument to java
instead, as in:
java -cp ".:…" …
This completely avoids affecting other Java programs through the CLASSPATH
environment variable. You should only do this in cases where you know the files under the current directory aren't malicious.

- 5,193