You are viewing a plain text version of this content. The canonical link for it is here.

Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/10/12 12:24:30 UTC

svn commit: r1904549 - /xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java

Author: ssteiner
Date: Wed Oct 12 12:24:29 2022
New Revision: 1904549

URL: http://svn.apache.org/viewvc?rev=1904549&view=rev
Log:
BATIK-1345: Restrict what java classes can be run thru rhino

Modified:
    xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java

Modified: xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java?rev=1904549&r1=1904548&r2=1904549&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java (original)
+++ xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java Wed Oct 12 12:24:29 2022
@@ -20,6 +20,9 @@ package org.apache.batik.script.rhino;
 
 import org.mozilla.javascript.ClassShutter;
 
+import java.util.Arrays;
+import java.util.List;
+
 /**
  * Class shutter that restricts access to Batik internals from script.
  *
@@ -27,6 +30,7 @@ import org.mozilla.javascript.ClassShutt
  * @version $Id$
  */
 public class RhinoClassShutter implements ClassShutter {
+    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
 
     /*
     public RhinoClassShutter() {
@@ -55,6 +59,10 @@ public class RhinoClassShutter implement
      * Returns whether the given class is visible to scripts.
      */
     public boolean visibleToScripts(String fullClassName) {
+        if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+            return false;
+        }
+
         // Don't let them mess with script engine's internals.
         if (fullClassName.startsWith("org.mozilla.javascript"))
             return false;