On Jan 9, 3:21 pm, Greg Lindholm <[email protected]> wrote: > (Using Rhino 1.7 R1) > > The javadoc on the Context.seal() method states that when context is > sealed calling enter() and exit() methods will throw an exception. > This does not appear to be correct, I've looked at the code and tested > and the enter() and exit() methods don't seem to check if the context > is sealed. > > So my question is; which is correct, the docs or the code? > > IMHO, I like the current behavior where you can seal the context and > enter() and exit() still work. > However, I don't want to rely on this behavior if it's wrong and going > to change to match the docs in a future release. > > And, of course if the docs are wrong they should be fixed.
I had to dig a little bit, but here's the bug describing the change: "Since changing Context parameters can significantly alter script execution, I suggest to add to Context a new API to seal Context instance so any future attempt to change its parameters would throw an exception. "It would not only prevent bugs in applications but also allow to prevent security breaches as currently Rhino has no protection against combined attack of untrusted Java and JavaScript code. For example, low-privileges jar executed as a part of untrusted script can call Context.exit/Context.enter to create Context without security controller and use to produce interpreted scripts having the same privileges as Rhino code." (See https://bugzilla.mozilla.org/show_bug.cgi?id=236117) Based on that intent, it seems like the ability to execute Context.enter/Context.exit is a bug. But I didn't create this feature and I'm not sure how (and if) it's really being used. How are you using Context.seal() such that it's good to seal a Context, but you still want to enter/exit it? And does anyone else on this list use Context.seal? Thanks, Norris _______________________________________________ dev-tech-js-engine-rhino mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino
