Thu, 02 Jun 2016 14:56:20 +0530
8158467: AccessControlException is thrown on public Java class access if "script app loader" is set to null
Reviewed-by: mhaupt, hannesw
1.1 --- a/make/build.xml Wed Jun 01 18:59:33 2016 +0530 1.2 +++ b/make/build.xml Thu Jun 02 14:56:20 2016 +0530 1.3 @@ -425,6 +425,10 @@ 1.4 permission java.io.FilePermission "${basedir}/test/script/external/showdown/-", "read"; 1.5 }; 1.6 1.7 +grant codeBase "file:/${basedir}/test/script/basic/JDK-8158467.js" { 1.8 + permission java.lang.RuntimePermission "nashorn.setConfig"; 1.9 +}; 1.10 + 1.11 </echo> 1.12 1.13 <replace file="${build.dir}/nashorn.policy"><replacetoken>\</replacetoken><replacevalue>/</replacevalue></replace> <!--hack for Windows - to make URLs with normal path separators -->
2.1 --- a/src/jdk/nashorn/internal/runtime/Context.java Wed Jun 01 18:59:33 2016 +0530 2.2 +++ b/src/jdk/nashorn/internal/runtime/Context.java Thu Jun 02 14:56:20 2016 +0530 2.3 @@ -1047,7 +1047,17 @@ 2.4 } 2.5 2.6 // Try finding using the "app" loader. 2.7 - return Class.forName(fullName, true, appLoader); 2.8 + if (appLoader != null) { 2.9 + return Class.forName(fullName, true, appLoader); 2.10 + } else { 2.11 + final Class<?> cl = Class.forName(fullName); 2.12 + // return the Class only if it was loaded by boot loader 2.13 + if (cl.getClassLoader() == null) { 2.14 + return cl; 2.15 + } else { 2.16 + throw new ClassNotFoundException(fullName); 2.17 + } 2.18 + } 2.19 } 2.20 2.21 /**
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/test/script/basic/JDK-8158467.js Thu Jun 02 14:56:20 2016 +0530 3.3 @@ -0,0 +1,92 @@ 3.4 +/* 3.5 + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. 3.6 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3.7 + * 3.8 + * This code is free software; you can redistribute it and/or modify it 3.9 + * under the terms of the GNU General Public License version 2 only, as 3.10 + * published by the Free Software Foundation. 3.11 + * 3.12 + * This code is distributed in the hope that it will be useful, but WITHOUT 3.13 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 3.14 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 3.15 + * version 2 for more details (a copy is included in the LICENSE file that 3.16 + * accompanied this code). 3.17 + * 3.18 + * You should have received a copy of the GNU General Public License version 3.19 + * 2 along with this work; if not, write to the Free Software Foundation, 3.20 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 3.21 + * 3.22 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 3.23 + * or visit www.oracle.com if you need additional information or have any 3.24 + * questions. 3.25 + */ 3.26 + 3.27 +/** 3.28 + * JDK-8158467: AccessControlException is thrown on public Java class access if "script app loader" is set to null 3.29 + * 3.30 + * @option -scripting 3.31 + * @test 3.32 + * @run 3.33 + */ 3.34 + 3.35 +var Factory = Java.type("jdk.nashorn.api.scripting.NashornScriptEngineFactory"); 3.36 +var fac = new Factory(); 3.37 + 3.38 +// This script has to be given RuntimePermission("nashorn.setConfig") 3.39 +var e = fac["getScriptEngine(java.lang.ClassLoader)"](null); 3.40 + 3.41 +print(e.eval("java.lang.System")); 3.42 +print(e.eval("({ foo: 42})").foo); 3.43 +print((e.eval("function(x) x*x"))(31)); 3.44 + 3.45 +e.put("output", print); 3.46 +var runnable = e.eval(<<EOF 3.47 + new java.lang.Runnable() { 3.48 + run: function() { 3.49 + output("hello Runnable"); 3.50 + } 3.51 + } 3.52 +EOF); 3.53 + 3.54 +runnable.run(); 3.55 + 3.56 +var obj = e.eval(<<EOF 3.57 +new (Java.extend(Java.type("java.lang.Object"))) { 3.58 + hashCode: function() 33, 3.59 + toString: function() "I'm object" 3.60 +} 3.61 +EOF); 3.62 + 3.63 +print(obj.hashCode()); 3.64 +print(obj.toString()); 3.65 + 3.66 +// should throw SecurityException! 3.67 +try { 3.68 + e.eval("Packages.jdk.internal"); 3.69 +} catch (ex) { 3.70 + print(ex); 3.71 +} 3.72 + 3.73 +// should throw SecurityException! 3.74 +try { 3.75 + e.eval("Java.type('jdk.internal.misc.Unsafe')"); 3.76 +} catch (ex) { 3.77 + print(ex); 3.78 +} 3.79 + 3.80 +// should throw SecurityException! 3.81 +try { 3.82 + e.eval("Java.type('jdk.nashorn.internal.Context')"); 3.83 +} catch (ex) { 3.84 + print(ex); 3.85 +} 3.86 + 3.87 +// should throw ClassNotFoundException as null is script 3.88 +// "app loader" [and not platform loader which loads nashorn] 3.89 +e.eval(<<EOF 3.90 +try { 3.91 + Java.type('jdk.nashorn.api.scripting.JSObject'); 3.92 +} catch (ex) { 3.93 + output(ex); 3.94 +} 3.95 +EOF);
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/test/script/basic/JDK-8158467.js.EXPECTED Thu Jun 02 14:56:20 2016 +0530 4.3 @@ -0,0 +1,10 @@ 4.4 +[JavaClass java.lang.System] 4.5 +42 4.6 +961 4.7 +hello Runnable 4.8 +33 4.9 +I'm object 4.10 +java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal") 4.11 +java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.misc") 4.12 +java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.nashorn.internal") 4.13 +java.lang.ClassNotFoundException: jdk.nashorn.api.scripting.JSObject