Details
-
Bug
-
Resolution: Fixed
-
P3
-
9
-
None
-
b04
-
generic
-
generic
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8045075 | 8u25 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b01 |
| JDK-8037992 | 8u20 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b09 |
| JDK-8052475 | emb-8u26 | Sundararajan Athijegannathan | P3 | Resolved | Fixed | b18 |
Description
When javax.script API is used to evaluate a (string) script, the script does not get the default permissions given to any code. The same is true when "jjs" is run in interactive mode under security manager.
{code}
import javax.script.*;
public class Main {
public static void main(String[] ar) throws ScriptException {
ScriptEngineManager m = new ScriptEngineManager();
ScriptEngine e = m.getEngineByName("nashorn");
System.out.println(e.eval("java.lang.System.getProperty('java.version')"));
}
}
{code}
results in security exception (it should not). Another example:
jjs -J-Djava.security.manager
jjs> java.lang.System.getProperty("java.version")
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
{code}
import javax.script.*;
public class Main {
public static void main(String[] ar) throws ScriptException {
ScriptEngineManager m = new ScriptEngineManager();
ScriptEngine e = m.getEngineByName("nashorn");
System.out.println(e.eval("java.lang.System.getProperty('java.version')"));
}
}
{code}
results in security exception (it should not). Another example:
jjs -J-Djava.security.manager
jjs> java.lang.System.getProperty("java.version")
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
Attachments
Issue Links
- backported by
-
JDK-8037992 Default permissions are not given for eval code
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-