Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8033924

Default permissions are not given for eval code

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 9
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b04
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        When javax.script API is used to evaluate a (string) script, the script does not get the default permissions given to any code. The same is true when "jjs" is run in interactive mode under security manager.

        {code}

        import javax.script.*;

        public class Main {
          public static void main(String[] ar) throws ScriptException {
             ScriptEngineManager m = new ScriptEngineManager();
             ScriptEngine e = m.getEngineByName("nashorn");
             System.out.println(e.eval("java.lang.System.getProperty('java.version')"));
          }
        }

        {code}

        results in security exception (it should not). Another example:

        jjs -J-Djava.security.manager
        jjs> java.lang.System.getProperty("java.version")
        java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sundar Sundararajan Athijegannathan
                  Reporter:
                  sundar Sundararajan Athijegannathan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: