From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:13:38 +0200
Subject: CVE-2022-42890

Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549
---
 .../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
index 3f95e5d..733061a 100644
--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
@@ -19,6 +19,8 @@
 package org.apache.batik.script.rhino;
 
 import org.mozilla.javascript.ClassShutter;
+import java.util.Arrays;
+import java.util.List;
 
 /**
  * Class shutter that restricts access to Batik internals from script.
@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter;
  * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
  */
 public class RhinoClassShutter implements ClassShutter {
+    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
 
     /*
     public RhinoClassShutter() {
@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter {
      * Returns whether the given class is visible to scripts.
      */
     public boolean visibleToScripts(String fullClassName) {
+        if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+            return false;
+        }
+
         // Don't let them mess with script engine's internals.
         if (fullClassName.startsWith("org.mozilla.javascript"))
             return false;