On Wed, Apr 22, 2009 at 2:44 PM, Jukka Zitting <jukka.zitt...@gmail.com> wrote: > Hi, > > On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra <tri...@day.com> wrote: >> System.exit() bears IMO no real risk, since it can be prevented by >> java security. > > I'd like to see the relevant java security settings. With all the OSGi > stuff, JCR bundle loading, and script compiling in place I think > coming up with a correct security policy is a major undertaking. > > Do we want to go down that path, or use alternative means like the > proposed script resolution restrictions?...
Those are different concerns: 1) Prevent users from uploading and executing arbitrary scripts 2) Prevent legitimate scripts from messing up with the system So we probably need both approaches. -Bertrand
