42 lines
1.8 KiB
Diff
42 lines
1.8 KiB
Diff
From: Markus Koschany <apo@debian.org>
|
|
Date: Sat, 29 Oct 2022 08:13:38 +0200
|
|
Subject: CVE-2022-42890
|
|
|
|
Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549
|
|
---
|
|
.../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
|
|
index 3f95e5d..733061a 100644
|
|
--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
|
|
+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
|
|
@@ -19,6 +19,8 @@
|
|
package org.apache.batik.script.rhino;
|
|
|
|
import org.mozilla.javascript.ClassShutter;
|
|
+import java.util.Arrays;
|
|
+import java.util.List;
|
|
|
|
/**
|
|
* Class shutter that restricts access to Batik internals from script.
|
|
@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter;
|
|
* @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
|
|
*/
|
|
public class RhinoClassShutter implements ClassShutter {
|
|
+ private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
|
|
|
|
/*
|
|
public RhinoClassShutter() {
|
|
@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter {
|
|
* Returns whether the given class is visible to scripts.
|
|
*/
|
|
public boolean visibleToScripts(String fullClassName) {
|
|
+ if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
|
|
+ return false;
|
|
+ }
|
|
+
|
|
// Don't let them mess with script engine's internals.
|
|
if (fullClassName.startsWith("org.mozilla.javascript"))
|
|
return false;
|