Hi again,
I updated the PR - just check it out, open the NashornResourceReferenceTest.js
and add:
while(true){}
For me the unit test stops running after 5 seconds.
I also added the class filter to reject all if no own filter is defined by
overriding the corresponding method.
kind regards
Tobias
> Am 07.01.2016 um 11:49 schrieb Emond Papegaaij <[email protected]>:
>
> Hi Tobias,
>
> Future.cancel will attempt to interrupt the thread, but this will not stop a
> thread executing
> 'while(true);'. It will stop a thread executing 'while(!isInterrupted());'.
> There is no way to
> safely stop a thread in Java (other than stopping the entire VM).
>
> Best regards,
> Emond
>
>> On Thursday, January 07, 2016 11:12:31 AM Tobias Soloschenko wrote:
>> Hi,
>>
>> I use ScheduledExecutorService and cancel - I am going to submit and show
>> you the changes this evening.
>>
>> kind regards
>>
>> Tobias
>>
>>> Am 07.01.2016 um 10:50 schrieb Emond Papegaaij
>>> <[email protected]>:
>>>
>>> Hi Tobias,
>>>
>>> How do you terminate a thread? The only way to terminate a Thread from
>>> outside is Thread.stop, which is very dangerous. Thread.interrupt will
>>> only stop de thread if that thread supports interrupting. A simple
>>> 'while(true);' will not terminate. Even if you manage to terminate a
>>> script in a few seconds, this will not help against a script like:
>>>
>>> var i = 0, o = {};
>>> while(true) {
>>>
>>> o[i++] = new Array(1000000);
>>>
>>> }
>>>
>>> Don't understand me wrong, a resource like this can be useful in some
>>> situations, but you realy have to make sure it is not exposed to the
>>> user, or you will have to deal with rogue scripts.
>>>
>>> Best regards,
>>> Emond
>>>
>>>> On Thursday, January 07, 2016 10:25:30 AM Tobias Soloschenko wrote:
>>>> Hi Emond,
>>>>
>>>> I already implemented a thread pool which terminates long running
>>>> scripts. I am going to submit it this evening.
>>>>
>>>> Good hint with the class filter - I am going to have a look at it.
>>>> Thanks!
>>>>
>>>> kind regards
>>>>
>>>> Tobias
>>>>
>>>>> Am 07.01.2016 um 08:24 schrieb Emond Papegaaij
>>>>> <[email protected]>:
>>>>>
>>>>> Hi Tobias,
>>>>>
>>>>> This is a very nice feature indeed, but be very carefull when exposing
>>>>> server-side code to a client. What would happen if some user would post
>>>>> 'Java.type("java.lang.System").exit(0)'? A service like this must always
>>>>> be protected via some sort of whitelist filter. The Java Scripting API
>>>>> has support for ClassFilter, which can be used for this.
