Closed
Bug 200573
Opened 21 years ago
Closed 21 years ago
Faulty embedding could lead to Code execution or suspicious application behavior
Categories
(Rhino Graveyard :: Core, defect)
Rhino Graveyard
Core
Tracking
(Not tracked)
VERIFIED
INVALID
1.5R5
People
(Reporter: mcbridematt, Assigned: norrisboyd)
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: All releases with LiveConnect As the leader of the Jazilla project, it has come to my attention that in the future, someone might slip some JS code in which executes applications via LiveConnect. I have not been able to verify this, but LiveConnect is proposed to be allowed within my application Reproducible: Couldn't Reproduce Steps to Reproduce: Insert JavaScript code executing applications via LiveConnect Expected Results: Haven't tried, but Rhino should deny it This problem is trivial, but could happen in open source projects or ones that load external JS files and have LiveConnect enabled
Comment 1•21 years ago
|
||
cc'ing Igor -
Comment 2•21 years ago
|
||
To disable LiveConnect, use org.mozilla.javascript.ClassShutter, http://lxr.mozilla.org/mozilla/source/js/rhino/src/org/mozilla/javascript/ClassShutter.java , that prevent any class from been load and set it on instances to any Context object you use: static public final ClassShutter disableLiveConnect = new ClassShutter() { public boolean visibleToScripts(String fullClassName) { return false; } }; ... Context cx = Context.entrer(); cx.setClussShutter(disableLiveConnect); ... You can even disable it from JavaScript itself: var cx = Packages.org.mozilla.javascript.Context.getCurrentContext(); var disableLC = { visibleToScripts: function(className) { return false; } }; cx.setClassShutter(new Packages.org.mozilla.javascript.ClassShutter(disableLC)); Then anything like new java.lang.Integer(0) should give an exception. Moreover, you should restrict scripts by enabling SecurityManager and probably implement org.mozilla.javascript.SecurityController to provide different privileges to different scripts.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•