# HG changeset patch # User sundar # Date 1391779066 -19800 # Node ID 946916efe39e88c22c92d3f91bcd240bccae75f5 # Parent 34e8f522b7baec2d47368fa6a9a7906dd68191dd 8033924: Default permissions are not given for eval code Reviewed-by: lagergren, jlaskey diff -r 34e8f522b7ba -r 946916efe39e src/jdk/nashorn/internal/runtime/Context.java --- a/src/jdk/nashorn/internal/runtime/Context.java Fri Feb 14 19:02:02 2014 +0530 +++ b/src/jdk/nashorn/internal/runtime/Context.java Fri Feb 07 18:47:46 2014 +0530 @@ -957,7 +957,7 @@ final URL url = source.getURL(); final ScriptLoader loader = env._loader_per_compile ? createNewLoader() : scriptLoader; - final CodeSource cs = url == null ? null : new CodeSource(url, (CodeSigner[])null); + final CodeSource cs = new CodeSource(url, (CodeSigner[])null); final CodeInstaller installer = new ContextCodeInstaller(this, loader, cs); final Compiler compiler = new Compiler(installer, strict); diff -r 34e8f522b7ba -r 946916efe39e src/jdk/nashorn/internal/runtime/ScriptLoader.java --- a/src/jdk/nashorn/internal/runtime/ScriptLoader.java Fri Feb 14 19:02:02 2014 +0530 +++ b/src/jdk/nashorn/internal/runtime/ScriptLoader.java Fri Feb 07 18:47:46 2014 +0530 @@ -70,9 +70,8 @@ * @return Installed class. */ synchronized Class installClass(final String name, final byte[] data, final CodeSource cs) { - if (cs == null) { - return defineClass(name, data, 0, data.length, new ProtectionDomain(null, getPermissions(null))); - } + // null check + cs.getClass(); return defineClass(name, data, 0, data.length, cs); } } diff -r 34e8f522b7ba -r 946916efe39e test/script/sandbox/safeprops.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/script/sandbox/safeprops.js Fri Feb 07 18:47:46 2014 +0530 @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2014 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * Try to access System properties safe to read for any code. + * No security exception expected. + * + * @test + * @security + * @run + * @bug 8033924: Default permissions are not given for eval code + */ + +var propNames = [ + "java.version", + "java.vendor", + "java.vendor.url", + "java.class.version", + "os.name", + "os.version", + "os.arch", + "file.separator", + "path.separator", + "line.separator", + "java.specification.version", + "java.specification.vendor", + "java.specification.name", + "java.vm.specification.version", + "java.vm.specification.vendor", + "java.vm.specification.name", + "java.vm.version", + "java.vm.vendor", + "java.vm.name" +]; + +// no security exception expected +for (var p in propNames) { + java.lang.System.getProperty(propNames[p]); +} + +// no security exception expected +for (var p in propNames) { + var name = propNames[p]; + eval('java.lang.System.getProperty(name)'); +} diff -r 34e8f522b7ba -r 946916efe39e test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java --- a/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java Fri Feb 14 19:02:02 2014 +0530 +++ b/test/src/jdk/nashorn/api/scripting/ScriptEngineTest.java Fri Feb 07 18:47:46 2014 +0530 @@ -560,6 +560,47 @@ assertTrue(reached[0]); } + // properties that can be read by any code + private static String[] propNames = { + "java.version", + "java.vendor", + "java.vendor.url", + "java.class.version", + "os.name", + "os.version", + "os.arch", + "file.separator", + "path.separator", + "line.separator", + "java.specification.version", + "java.specification.vendor", + "java.specification.name", + "java.vm.specification.version", + "java.vm.specification.vendor", + "java.vm.specification.name", + "java.vm.version", + "java.vm.vendor", + "java.vm.name" + }; + + // @bug 8033924: Default permissions are not given for eval code + @Test + public void checkPropertyReadPermissions() throws ScriptException { + final ScriptEngineManager m = new ScriptEngineManager(); + final ScriptEngine e = m.getEngineByName("nashorn"); + + for (final String name : propNames) { + checkProperty(e, name); + } + } + + private static void checkProperty(final ScriptEngine e, final String name) + throws ScriptException { + String value = System.getProperty(name); + e.put("name", name); + assertEquals(value, e.eval("java.lang.System.getProperty(name)")); + } + private static final String LINE_SEPARATOR = System.getProperty("line.separator"); // Returns String that would be the result of calling PrintWriter.println