aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsundar <none@none>2014-02-07 18:47:46 +0530
committersundar <none@none>2014-02-07 18:47:46 +0530
commitc4352c8195a143bf2d00a026c0e74306e223cab8 (patch)
tree954c86c22125d81e913d26ebeec6be96b2873ebe
parent583306df186bb54ee1201185d20a4a7075c6e065 (diff)
downloadnashorn-c4352c8195a143bf2d00a026c0e74306e223cab8.tar.gz
8033924: Default permissions are not given for eval code
Reviewed-by: lagergren, jlaskey
-rw-r--r--src/jdk/nashorn/internal/runtime/Context.java2
-rw-r--r--src/jdk/nashorn/internal/runtime/ScriptLoader.java5
-rw-r--r--test/script/sandbox/safeprops.js65
-rw-r--r--test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java41
4 files changed, 109 insertions, 4 deletions
diff --git a/src/jdk/nashorn/internal/runtime/Context.java b/src/jdk/nashorn/internal/runtime/Context.java
index 55114881..7df2493d 100644
--- a/src/jdk/nashorn/internal/runtime/Context.java
+++ b/src/jdk/nashorn/internal/runtime/Context.java
@@ -957,7 +957,7 @@ public final class Context {
final URL url = source.getURL();
final ScriptLoader loader = env._loader_per_compile ? createNewLoader() : scriptLoader;
- final CodeSource cs = url == null ? null : new CodeSource(url, (CodeSigner[])null);
+ final CodeSource cs = new CodeSource(url, (CodeSigner[])null);
final CodeInstaller<ScriptEnvironment> installer = new ContextCodeInstaller(this, loader, cs);
final Compiler compiler = new Compiler(installer, strict);
diff --git a/src/jdk/nashorn/internal/runtime/ScriptLoader.java b/src/jdk/nashorn/internal/runtime/ScriptLoader.java
index 78185b1c..52c98d40 100644
--- a/src/jdk/nashorn/internal/runtime/ScriptLoader.java
+++ b/src/jdk/nashorn/internal/runtime/ScriptLoader.java
@@ -70,9 +70,8 @@ final class ScriptLoader extends NashornLoader {
* @return Installed class.
*/
synchronized Class<?> installClass(final String name, final byte[] data, final CodeSource cs) {
- if (cs == null) {
- return defineClass(name, data, 0, data.length, new ProtectionDomain(null, getPermissions(null)));
- }
+ // null check
+ cs.getClass();
return defineClass(name, data, 0, data.length, cs);
}
}
diff --git a/test/script/sandbox/safeprops.js b/test/script/sandbox/safeprops.js
new file mode 100644
index 00000000..dc12e74f
--- /dev/null
+++ b/test/script/sandbox/safeprops.js
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * Try to access System properties safe to read for any code.
+ * No security exception expected.
+ *
+ * @test
+ * @security
+ * @run
+ * @bug 8033924: Default permissions are not given for eval code
+ */
+
+var propNames = [
+ "java.version",
+ "java.vendor",
+ "java.vendor.url",
+ "java.class.version",
+ "os.name",
+ "os.version",
+ "os.arch",
+ "file.separator",
+ "path.separator",
+ "line.separator",
+ "java.specification.version",
+ "java.specification.vendor",
+ "java.specification.name",
+ "java.vm.specification.version",
+ "java.vm.specification.vendor",
+ "java.vm.specification.name",
+ "java.vm.version",
+ "java.vm.vendor",
+ "java.vm.name"
+];
+
+// no security exception expected
+for (var p in propNames) {
+ java.lang.System.getProperty(propNames[p]);
+}
+
+// no security exception expected
+for (var p in propNames) {
+ var name = propNames[p];
+ eval('java.lang.System.getProperty(name)');
+}
diff --git a/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java b/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java
index df8696d8..52199145 100644
--- a/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java
+++ b/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java
@@ -560,6 +560,47 @@ public class ScriptEngineTest {
assertTrue(reached[0]);
}
+ // properties that can be read by any code
+ private static String[] propNames = {
+ "java.version",
+ "java.vendor",
+ "java.vendor.url",
+ "java.class.version",
+ "os.name",
+ "os.version",
+ "os.arch",
+ "file.separator",
+ "path.separator",
+ "line.separator",
+ "java.specification.version",
+ "java.specification.vendor",
+ "java.specification.name",
+ "java.vm.specification.version",
+ "java.vm.specification.vendor",
+ "java.vm.specification.name",
+ "java.vm.version",
+ "java.vm.vendor",
+ "java.vm.name"
+ };
+
+ // @bug 8033924: Default permissions are not given for eval code
+ @Test
+ public void checkPropertyReadPermissions() throws ScriptException {
+ final ScriptEngineManager m = new ScriptEngineManager();
+ final ScriptEngine e = m.getEngineByName("nashorn");
+
+ for (final String name : propNames) {
+ checkProperty(e, name);
+ }
+ }
+
+ private static void checkProperty(final ScriptEngine e, final String name)
+ throws ScriptException {
+ String value = System.getProperty(name);
+ e.put("name", name);
+ assertEquals(value, e.eval("java.lang.System.getProperty(name)"));
+ }
+
private static final String LINE_SEPARATOR = System.getProperty("line.separator");
// Returns String that would be the result of calling PrintWriter.println