ilar errors. Looks like
the main script namespace isn't getting transferred to the "child" scripts.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
>
ting a new engine for each element
callback:
Sendingcore\src\org\apache\pivot\beans\BXMLSerializer.java
Transmitting file data .done
Committing transaction...
Committed revision 1817960.
> Java 8 BXML scripting security issues in Apache Piv
before I went in and mucked around with it.
I'm thinking I may need to "roll back" some of my changes in the sense that I
need to carefully consider when new engines were created.
> Java 8 BXML scripting secu
Investigating that also....
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
> Project:
couldn't we add a warning (in console) when
registering a listener that's already registered (when adding from a JVM
scripting language) ?
Or maybe handle those cases by delegating to an optional function to call ...
What do you think ?
> Java 8 BXML scripting security issue
ell" or "wand" fields
Definitely a Nashorn issue – removing the second "stateChanged" callback fixes
the problem. So, somehow the two Javascript callbacks with the same name are
colliding with each other so that the second one gets invoked for either
checkbo
require Java
8). For now 2.0.x is usable under Java 7, so this doesn't have to be an issue
there.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
>
saction...
Committed revision 1794769.
Looks like "branches/2.0.x" hasn't gotten earlier changes either, so I'm not
going to merge this right away until I get things straightened out.
> Java 8
even so.
Also, have no idea if this will ameliorate any of the security issues that are
the (actual) problems mentioned in this issue ....
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
>
a to "trunk" also:
Sending.
Sendingcore/src/org/apache/pivot/beans/BXMLSerializer.java
Transmitting file data .
Committed revision 1779224.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
licated with the current state of the
code, so I'm working on a much simpler solution for Java 8, coming soon.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
>
Serializer
public RhinoBXMLSerializer() {
super();
setDefaultLanguage("rhino");
}
}
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https
and kept including signed Rhino script engine jars as part of
our Pivot webstart applications.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https:
run our JNLP file alright, although it doesn't have a great deal of
scripting in the BXML files, it does have some.
Anyway, I'm blocked right now from trying your test application because it is
self-signed Any thoughts on that?
Thanks,
~Roger
> Java 8 BXML scripting security
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karel Hübl updated PIVOT-965:
-
Attachment: jnlpScripting.war
> Java 8 BXML scripting security issues in Apache Pivot R
ting/jnlpScripting.jnlp
javaws http://localhost:8080/jnlpScripting/pivotScripting.jnlp
Anyway thank you for the fix. I hope it will enable us to run our pivot apps on
JRE 1.8 with 1 more initial security dialog requesting confirmation of making
HTTP connection.
> Java 8 BXML scripting security is
le: Swizzy App
Implementation-Version: 2.0.0
Application-Name: Swizzy App
Created-By: XYZ Corporation
And, of course, signing ALL the .jar files with our real digital signature.
So, can you give us an update of how you're doing? Thanks!
> Java 8 BXML scripting security issue
ding.
Sendingcore\src\org\apache\pivot\beans\BXMLSerializer.java
Adding tests\src\org\apache\pivot\tests\issues\pivot965
Transmitting file data .
Committed revision 1728248.
> Java 8 BXML scripting security issues in Apache Piv
org\apache\pivot\tests\issues\pivot965\IncludedSection965.bxml
Adding
tests\src\org\apache\pivot\tests\issues\pivot965\Pivot965Main.java
Adding tests\src\org\apache\pivot\tests\issues\pivot965\Window965.bxml
Transmitting file data
Committed revision 1728247.
> Java 8 BXML scr
bust over
multiple includes, nested includes, or if "inline" is not set to true. This
will require further testing. For now, I will check in the code as mentioned
(which also contains some commented out debugging code as a reminder of how to
track these thing
x27;m working on trying to resolve the other "include" problem with mapping
functions -- pretty tricky code that I'm not quite understanding yet.
Thanks,
~Roger
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
ave changes in manifest part of build.xml and
build.properties.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PI
seeing those in my
application (we did see the mapping function problems, though).
I don't think I have a problem with adding the ability to change the scripting
engine, so I will integrate your patch. Do you have any other forked changes
we should consider?
> Java 8 BXML scriptin
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karel Hübl updated PIVOT-965:
-
Attachment: BXMLSerializer.patch
> Java 8 BXML scripting security issues in Apache Pivot R
patch from our fork. May be in 2.0.5 it should be possible to
override default language on BXMLSerializer descendants. This can be done by
introducing defaultLanguage protected property (see the patch).
> Java 8 BXML scripting security issues in
tart & JNLP forum:
https://community.oracle.com/message/13395388
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.or
Arel
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
> Project: Pivot
>
x, I have merged it to branches/2.0.x:
Sending.
Sendingcore\src\org\apache\pivot\beans\BXMLSerializer.java
Transmitting file data .
Committed revision 1712190.
> Java 8 BXML scripting security issues in Apache Piv
175.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
> Project: Pivot
> Is
But I'm pretty sure there are others
in the code that need similar treatment now. But at least we know how to do it.
Sendingcore\src\org\apache\pivot\beans\BXMLSerializer.java
Transmitting file data .
Committed revision 1712175.
> Java 8 BXML scripting security issues in Apach
you are really working on it.
Tell me if I can help. Thanks.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/ji
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandro Martini updated PIVOT-965:
-
Assignee: Roger Whitcomb (was: Sandro Martini)
> Java 8 BXML scripting security issues in Apa
ou
still have the same issues? Especially with the "trunk" code I have added the
new security-related manifests to the Pivot .jar files (note: this has not been
migrated to 2.0.x yet) and this might help.
Thanks.
> Java 8 BXML scripting security
8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
> Project: Pivot
> Issue Type: Bug
&g
all-permissions
Codebase: *
Caller-Allowable-Codebase: *
Application-Library-Allowable-Codebase: *
Trusted-Library: true
Main-Class: org.kh.jnlpScripting.Main
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
>
ther attributes into your manifest
mentioned here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
Thanks.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
>
s in manifest:
Permissions: all-permissions
Codebase: *
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/ji
Java security guidelines. There are some
Nashorn-related changes that are necessary, but they probably won't address
this issue.
Karel, are you using signed .jar files in your RIA?
> Java 8 BXML scripting security issues in Apach
es:
https://github.com/mozilla/rhino/releases
Let's update.
was (Author: smartini):
Check if this is related to Java 8 specific things found by Roger in PIVOT-949.
> Java 8 BXML scripting security issues in
ific things found by Roger in PIVOT-949.
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> --
>
> Key: PIVOT-965
> URL: https://issues.apache.org/jira/browse/PIVOT-965
>
a 8 - than this should be the way to go... If not, other appropriate
> solution should be selected.
The only workaround I have found, is to to include Rhino script engine as part
of application. But I believe better solution can be found...
> Java 8 BXML scripting s
ctly" fix this issue?
maybe we could try to configure the desired behavior when the default is not
good (as in this case) ...
I'll keep you updated. Bye
> Java 8 BXML scripting security issues in Apache Pivot RIAs
> -
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandro Martini updated PIVOT-965:
-
Labels: java8 jdk8 (was: )
> Java 8 BXML scripting security issues in Apache Pivot R
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandro Martini updated PIVOT-965:
-
Fix Version/s: 2.0.5
2.1
> Java 8 BXML scripting security issues in Apa
[
https://issues.apache.org/jira/browse/PIVOT-965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandro Martini reassigned PIVOT-965:
Assignee: Sandro Martini
> Java 8 BXML scripting security issues in Apache Pivot R
Karel Hübl created PIVOT-965:
Summary: Java 8 BXML scripting security issues in Apache Pivot RIAs
Key: PIVOT-965
URL: https://issues.apache.org/jira/browse/PIVOT-965
Project: Pivot
Issue Type
Hi Karel,
Can you please create a JIRA issue that contains this information
and someone will look into it as soon as possible.
Thanks,
~Roger
On 2/9/15 9:19 AM, Karel Hübl wrote:
Hi all,
We encounter security issues in our pivot application after upgrading to JRE
1.8. The applicatio
Hi all,
We encounter security issues in our pivot application after upgrading to JRE
1.8. The application is deployed as RIA using Java Web Start.
I found out, that the problem is connected with nashorn script engine which
replaced rhino script engine from previous java version. BXMLSeriali
48 matches
Mail list logo
