On 2008.12.11., at 15:31, [EMAIL PROTECTED] wrote:
My instinct tells me that what I should do, then, is do
initStandardObjects() and then iterate over all symbols in the scope,
removing (using Scriptable.delete() if that guess isn't wrong) any
that don't appear in, for example, the Standard Objects list (<https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference#Standard_global_objects
>) instead of
specifically removing java, Packages, sun, and so forth, because I'm
paranoid like that...
Already a snafu with this approach. Scriptable.getIds() does not
supply the names of properties that were not defined by the script.
More precisely, it doesn't list properties added with
ScriptableObject.DONTENUM flag, and these are apparently added as such.
I suppose there's always ClassShutter, but I feel like I don't have a
complete picture of what it does and doesn't do.
A quick scan of callers of ClassShutter.isVisibleToScripts() leads me
to believe it quite fully suppresses access to classes, as it is
consulted from:
- NativeJavaPackage.getPkgProperty(), so it prevents access through
Packages.*, java.*, etc.
- JavaMembers constructor, which is in turn called from
NativeJavaClass and NativeJavaObject initMembers(), so even objects
somehow externally made available to JS script will be unusable, as
they can't be wrapped into NativeJavaObject first
- finally, from ScriptRuntime.isVisible whose only user is
newCatchScope, so it prevents exposition of disallowed Java exception
classes in catch blocks (good thing to know this corner case is
handled as well).
If I defined
visibleToScripts() to always return false, hopefully it would disable
access to java.lang.System, but would it also disable anything that is
required to run a trivial script?
A trivial script needn't rely on Java objects at all (or know its
runtime is based on JVM at all, for that matter), so I think it should
be okay. Depends on your definition of trivial, I guess...
Would it or wouldn't it also disable
other associated functionality (such as importPackage())?
It seems to me it would.
Would it
disable host objects explicitly placed via Scriptable.put()?
Those initialized via ScriptableObject.defineClass() would not be
blocked by a ClassShutter. So it appears to me. (I never used
ClassShutter myself, and all my answers are based on my reading of the
source code as I write this). Plain POJOs that don't adhere to
ScriptableObject.defineClass() contract would be blocked, as they need
to be wrapped into a NativeJavaObject, and that checks with the
ClassShutter.
Attila.
I can and
probably will figure out the answers to some or all of these via
experimentation, but I would like to see them specified in the docs as
a minimal acknowledgement that everyone is on the same page.
Again, I beg the advice of someone who has.
Thanks
dro
_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
