8008305: ScriptEngine.eval should offer the ability to provide a codebase
Reviewed-by: lagergren, hannesw, attila
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java Fri Feb 15 20:40:05 2013 +0530
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java Mon Feb 18 14:41:58 2013 +0530
@@ -119,7 +119,12 @@
@Override
public Object eval(final Reader reader, final ScriptContext ctxt) throws ScriptException {
try {
- return evalImpl(Source.readFully(reader), ctxt);
+ if (reader instanceof URLReader) {
+ final URL url = ((URLReader)reader).getURL();
+ return evalImpl(compileImpl(new Source(url.toString(), url), ctxt), ctxt);
+ } else {
+ return evalImpl(Source.readFully(reader), ctxt);
+ }
} catch (final IOException e) {
throw new ScriptException(e);
}
@@ -442,14 +447,16 @@
}
private ScriptFunction compileImpl(final char[] buf, final ScriptContext ctxt) throws ScriptException {
+ final Object val = ctxt.getAttribute(ScriptEngine.FILENAME);
+ final String fileName = (val != null) ? val.toString() : "<eval>";
+ return compileImpl(new Source(fileName, buf), ctxt);
+ }
+
+ private ScriptFunction compileImpl(final Source source, final ScriptContext ctxt) throws ScriptException {
final ScriptObject oldGlobal = getNashornGlobal();
final ScriptObject ctxtGlobal = getNashornGlobalFrom(ctxt);
final boolean globalChanged = (oldGlobal != ctxtGlobal);
try {
- final Object val = ctxt.getAttribute(ScriptEngine.FILENAME);
- final String fileName = (val != null) ? val.toString() : "<eval>";
-
- final Source source = new Source(fileName, buf);
if (globalChanged) {
setNashornGlobal(ctxtGlobal);
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/src/jdk/nashorn/api/scripting/URLReader.java Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.api.scripting;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URL;
+
+/**
+ * A Reader that reads from a URL. Used to make sure that the reader
+ * reads content from given URL and can be trusted to do so.
+ */
+public final class URLReader extends Reader {
+ // underlying URL
+ private URL url;
+ // lazily initialized underlying reader for URL
+ private Reader reader;
+
+ public URLReader(final URL url) {
+ this.url = url;
+ }
+
+ @Override
+ public int read(char cbuf[], int off, int len) throws IOException {
+ return getReader().read(cbuf, off, len);
+ }
+
+ @Override
+ public void close() throws IOException {
+ getReader().close();
+ }
+
+ /**
+ * URL of this reader
+ * @return the URL from which this reader reads.
+ */
+ public URL getURL() {
+ return url;
+ }
+
+ // lazily initialize char array reader using URL content
+ private Reader getReader() throws IOException {
+ synchronized (lock) {
+ if (reader == null) {
+ reader = new InputStreamReader(url.openStream());
+ }
+ }
+
+ return reader;
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/JDK-8008305.js Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase *
+ * @test
+ * @run
+ */
+
+var URLReader = Java.type("jdk.nashorn.api.scripting.URLReader");
+var File = Java.type("java.io.File");
+var FileReader = Java.type("java.io.FileReader");
+var ScriptEngineManager = Java.type("javax.script.ScriptEngineManager");
+var SecurityException = Java.type("java.lang.SecurityException");
+
+var m = new ScriptEngineManager();
+var e = m.getEngineByName("nashorn");
+
+
+// subtest script file
+var scriptFile = new File(__DIR__ + "JDK-8008305_subtest.js");
+
+// evaluate the subtest via a URLReader
+var res = e.eval(new URLReader(scriptFile.toURI().toURL()));
+
+// subtest should execute with AllPermission and so return absolute path
+if (! res.equals(new File(".").getAbsolutePath())) {
+ fail("eval result is not equal to expected value");
+}
+
+// try same subtest without URLReader and so it runs with null code source
+try {
+ e.eval(new FileReader(scriptFile));
+ fail("Expected SecurityException from script!");
+} catch (e) {
+ if (! (e instanceof SecurityException)) {
+ faile("Expected SecurityException, but got " + e);
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/JDK-8008305_subtest.js Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase *
+ * @subtest
+ */
+
+// If this test runs with sandbox permissions, the following should
+// result in SecurityException or else it should succeed.
+
+new java.io.File(".").getAbsolutePath();
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/trusted/urlreader.js Mon Feb 18 14:41:58 2013 +0530
@@ -0,0 +1,27 @@
+/**
+ * JDK-8008305: ScriptEngine.eval should offer the ability to provide a codebase
+ *
+ * @test
+ * @run
+ */
+
+var URLReader = Java.type("jdk.nashorn.api.scripting.URLReader");
+var URL = Java.type("java.net.URL");
+var File = Java.type("java.io.File");
+var JString = Java.type("java.lang.String");
+var Source = Java.type("jdk.nashorn.internal.runtime.Source");
+
+var url = new File(__FILE__).toURI().toURL();
+var reader = new URLReader(url);
+
+// check URLReader.getURL() method
+//Assert.assertEquals(url, reader.getURL());
+
+// check URL read
+// read URL content by directly reading from URL
+var str = new Source(url.toString(), url).getString();
+// read URL content via URLReader
+var content = new JString(Source.readFully(reader));
+
+// assert that the content is same
+Assert.assertEquals(str, content);