Author: ssteiner
Date: Fri Oct 28 09:13:58 2022
New Revision: 1904899
URL: http://svn.apache.org/viewvc?rev=1904899&view=rev
Log:
BATIK-1347: Switch to full whitelist for rhino
Modified:
xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
Modified:
xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
URL:
http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java?rev=1904899&r1=1904898&r2=1904899&view=diff
==============================================================================
---
xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
(original)
+++
xmlgraphics/batik/trunk/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
Fri Oct 28 09:13:58 2022
@@ -33,7 +33,9 @@ import java.util.List;
public class RhinoClassShutter implements ClassShutter {
public static final List<String> WHITELIST = new ArrayList<>();
static {
- WHITELIST.addAll(Arrays.asList("java.io.PrintStream",
"java.lang.System", "java.net.URL"));
+ WHITELIST.addAll(Arrays.asList("java.io.PrintStream",
"java.lang.System", "java.net.URL", ".*Permission",
+ "org.w3c.dom.*", "org.apache.batik.w3c.*",
"org.apache.batik.anim.*", "org.apache.batik.dom.*",
+ "org.apache.batik.css.*"));
}
/*
@@ -63,56 +65,11 @@ public class RhinoClassShutter implement
* Returns whether the given class is visible to scripts.
*/
public boolean visibleToScripts(String fullClassName) {
- if (!WHITELIST.contains(fullClassName) &&
!fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) {
- return false;
- }
-
- // Don't let them mess with script engine's internals.
- if (fullClassName.startsWith("org.mozilla.javascript"))
- return false;
-
- if (fullClassName.startsWith("org.apache.batik.")) {
- // Just get package within batik.
- String batikPkg = fullClassName.substring(17);
-
- // Don't let them mess with Batik script internals.
- if (batikPkg.startsWith("script"))
- return false;
-
- // Don't let them get global structures.
- if (batikPkg.startsWith("apps"))
- return false;
-
- // Don't let them get scripting stuff from bridge, but specifically
- // allow access to:
- //
- //
o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
- //
o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
- //
o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
- //
o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
- //
- // since objects of these classes are returned by setInterval() and
- // setTimeout().
- if (batikPkg.startsWith("bridge.")) {
- String batikBridgeClass = batikPkg.substring(7);
- if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
- if (batikBridgeClass.startsWith("$Window$", 20)) {
- String c = batikBridgeClass.substring(28);
- if (c.equals("IntervalScriptTimerTask")
- || c.equals("IntervalRunnableTimerTask")
- || c.equals("TimeoutScriptTimerTask")
- || c.equals("TimeoutRunnableTimerTask")) {
- return true;
- }
- }
- return false;
- }
- if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
- return false;
- }
+ for (String v : WHITELIST) {
+ if (fullClassName.matches(v)) {
+ return true;
}
}
-
- return true;
+ return false;
}
}
Modified:
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
URL:
http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java?rev=1904899&r1=1904898&r2=1904899&view=diff
==============================================================================
---
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
(original)
+++
xmlgraphics/batik/trunk/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
Fri Oct 28 09:13:58 2022
@@ -29,5 +29,6 @@ public class RhinoClassShutterTest {
RhinoClassShutter.WHITELIST.add(runtimeClass);
Assert.assertTrue(new
RhinoClassShutter().visibleToScripts(runtimeClass));
RhinoClassShutter.WHITELIST.remove(runtimeClass);
+ Assert.assertFalse(new RhinoClassShutter().visibleToScripts("org.x"));
}
}
