Hi again, I updated the PR - just check it out, open the NashornResourceReferenceTest.js and add:
while(true){} For me the unit test stops running after 5 seconds. I also added the class filter to reject all if no own filter is defined by overriding the corresponding method. kind regards Tobias > Am 07.01.2016 um 11:49 schrieb Emond Papegaaij <emond.papega...@topicus.nl>: > > Hi Tobias, > > Future.cancel will attempt to interrupt the thread, but this will not stop a > thread executing > 'while(true);'. It will stop a thread executing 'while(!isInterrupted());'. > There is no way to > safely stop a thread in Java (other than stopping the entire VM). > > Best regards, > Emond > >> On Thursday, January 07, 2016 11:12:31 AM Tobias Soloschenko wrote: >> Hi, >> >> I use ScheduledExecutorService and cancel - I am going to submit and show >> you the changes this evening. >> >> kind regards >> >> Tobias >> >>> Am 07.01.2016 um 10:50 schrieb Emond Papegaaij >>> <emond.papega...@topicus.nl>: >>> >>> Hi Tobias, >>> >>> How do you terminate a thread? The only way to terminate a Thread from >>> outside is Thread.stop, which is very dangerous. Thread.interrupt will >>> only stop de thread if that thread supports interrupting. A simple >>> 'while(true);' will not terminate. Even if you manage to terminate a >>> script in a few seconds, this will not help against a script like: >>> >>> var i = 0, o = {}; >>> while(true) { >>> >>> o[i++] = new Array(1000000); >>> >>> } >>> >>> Don't understand me wrong, a resource like this can be useful in some >>> situations, but you realy have to make sure it is not exposed to the >>> user, or you will have to deal with rogue scripts. >>> >>> Best regards, >>> Emond >>> >>>> On Thursday, January 07, 2016 10:25:30 AM Tobias Soloschenko wrote: >>>> Hi Emond, >>>> >>>> I already implemented a thread pool which terminates long running >>>> scripts. I am going to submit it this evening. >>>> >>>> Good hint with the class filter - I am going to have a look at it. >>>> Thanks! >>>> >>>> kind regards >>>> >>>> Tobias >>>> >>>>> Am 07.01.2016 um 08:24 schrieb Emond Papegaaij >>>>> <emond.papega...@topicus.nl>: >>>>> >>>>> Hi Tobias, >>>>> >>>>> This is a very nice feature indeed, but be very carefull when exposing >>>>> server-side code to a client. What would happen if some user would post >>>>> 'Java.type("java.lang.System").exit(0)'? A service like this must always >>>>> be protected via some sort of whitelist filter. The Java Scripting API >>>>> has support for ClassFilter, which can be used for this.