JDK-8033924 : Default permissions are not given for eval code
- Type: Bug
- Component: core-libs
- Sub-Component: jdk.nashorn
- Affected Version: 9
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2014-02-07
- Updated: 2014-07-29
- Resolved: 2014-02-07
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | JDK 9 |
|---|---|
8u20Fixed  |
9 b04Fixed |
Description
When javax.script API is used to evaluate a (string) script, the script does not get the default permissions given to any code. The same is true when "jjs" is run in interactive mode under security manager.
{code}
import javax.script.*;
public class Main {
public static void main(String[] ar) throws ScriptException {
ScriptEngineManager m = new ScriptEngineManager();
ScriptEngine e = m.getEngineByName("nashorn");
System.out.println(e.eval("java.lang.System.getProperty('java.version')"));
}
}
{code}
results in security exception (it should not). Another example:
jjs -J-Djava.security.manager
jjs> java.lang.System.getProperty("java.version")
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")