BATIK-1347: Switch to full whitelist for rhino
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1904899 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
index 5a11d56..3e68f7e 100644
--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
@@ -33,7 +33,9 @@
public class RhinoClassShutter implements ClassShutter {
public static final List<String> WHITELIST = new ArrayList<>();
static {
- WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"));
+ WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL", ".*Permission",
+ "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*", "org.apache.batik.dom.*",
+ "org.apache.batik.css.*"));
}
/*
@@ -63,56 +65,11 @@
* Returns whether the given class is visible to scripts.
*/
public boolean visibleToScripts(String fullClassName) {
- if (!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) {
- return false;
- }
-
- // Don't let them mess with script engine's internals.
- if (fullClassName.startsWith("org.mozilla.javascript"))
- return false;
-
- if (fullClassName.startsWith("org.apache.batik.")) {
- // Just get package within batik.
- String batikPkg = fullClassName.substring(17);
-
- // Don't let them mess with Batik script internals.
- if (batikPkg.startsWith("script"))
- return false;
-
- // Don't let them get global structures.
- if (batikPkg.startsWith("apps"))
- return false;
-
- // Don't let them get scripting stuff from bridge, but specifically
- // allow access to:
- //
- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
- //
- // since objects of these classes are returned by setInterval() and
- // setTimeout().
- if (batikPkg.startsWith("bridge.")) {
- String batikBridgeClass = batikPkg.substring(7);
- if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
- if (batikBridgeClass.startsWith("$Window$", 20)) {
- String c = batikBridgeClass.substring(28);
- if (c.equals("IntervalScriptTimerTask")
- || c.equals("IntervalRunnableTimerTask")
- || c.equals("TimeoutScriptTimerTask")
- || c.equals("TimeoutRunnableTimerTask")) {
- return true;
- }
- }
- return false;
- }
- if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
- return false;
- }
+ for (String v : WHITELIST) {
+ if (fullClassName.matches(v)) {
+ return true;
}
}
-
- return true;
+ return false;
}
}
diff --git a/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java b/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
index d8a9f68..ce5ed77 100644
--- a/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
+++ b/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
@@ -29,5 +29,6 @@
RhinoClassShutter.WHITELIST.add(runtimeClass);
Assert.assertTrue(new RhinoClassShutter().visibleToScripts(runtimeClass));
RhinoClassShutter.WHITELIST.remove(runtimeClass);
+ Assert.assertFalse(new RhinoClassShutter().visibleToScripts("org.x"));
}
}
