8158467: AccessControlException is thrown on public Java class access if "script app loader" is set to null

Reviewed-by: mhaupt, hannesw
2026-05-05 11:15:13 +00:00 · 2016-06-02 14:56:20 +05:30 · 2016-06-02 14:56:20 +05:30 · 2c1f125385
commit 2c1f125385
parent 3c9941bd80
4 changed files with 117 additions and 1 deletions
--- a/nashorn/make/build.xml
+++ b/nashorn/make/build.xml
@ -492,6 +492,10 @@ grant codeBase "file:/${basedir}/test/script/markdown.js" {
    permission java.io.FilePermission "${basedir}/test/script/external/showdown/-", "read";
 };

+grant codeBase "file:/${basedir}/test/script/basic/JDK-8158467.js" {
+    permission java.lang.RuntimePermission "nashorn.setConfig";
+};
+
    </echo>

    <replace file="${build.dir}/nashorn.policy"><replacetoken>\</replacetoken><replacevalue>/</replacevalue></replace>    <!--hack for Windows - to make URLs with normal path separators -->
--- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/Context.java
+++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/Context.java
@ -1166,7 +1166,17 @@ public final class Context {
        }

        // Try finding using the "app" loader.
-        return Class.forName(fullName, true, appLoader);
+        if (appLoader != null) {
+            return Class.forName(fullName, true, appLoader);
+        } else {
+            final Class<?> cl = Class.forName(fullName);
+            // return the Class only if it was loaded by boot loader
+            if (cl.getClassLoader() == null) {
+                return cl;
+            } else {
+                throw new ClassNotFoundException(fullName);
+            }
+        }
    }

    /**
--- a/nashorn/test/script/basic/JDK-8158467.js
+++ b/nashorn/test/script/basic/JDK-8158467.js
@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8158467: AccessControlException is thrown on public Java class access if "script app loader" is set to null
+ *
+ * @option -scripting
+ * @test
+ * @run
+ */
+
+var Factory = Java.type("jdk.nashorn.api.scripting.NashornScriptEngineFactory");
+var fac = new Factory();
+
+// This script has to be given RuntimePermission("nashorn.setConfig")
+var e = fac["getScriptEngine(java.lang.ClassLoader)"](null);
+
+print(e.eval("java.lang.System"));
+print(e.eval("({ foo: 42})").foo);
+print((e.eval("function(x) x*x"))(31));
+
+e.put("output", print);
+var runnable = e.eval(<<EOF
+    new java.lang.Runnable() {
+        run: function() {
+            output("hello Runnable");
+        }
+    }
+EOF);
+
+runnable.run();
+
+var obj = e.eval(<<EOF
+new (Java.extend(Java.type("java.lang.Object"))) {
+    hashCode: function() 33,
+    toString: function() "I'm object"
+}
+EOF);
+
+print(obj.hashCode());
+print(obj.toString());
+
+// should throw SecurityException!
+try {
+    e.eval("Packages.jdk.internal");
+} catch (ex) {
+    print(ex);
+}
+
+// should throw SecurityException!
+try {
+    e.eval("Java.type('jdk.internal.misc.Unsafe')");
+} catch (ex) {
+    print(ex);
+}
+
+// should throw SecurityException!
+try {
+    e.eval("Java.type('jdk.nashorn.internal.Context')");
+} catch (ex) {
+    print(ex);
+}
+
+// should throw ClassNotFoundException as null is script
+// "app loader" [and not platform loader which loads nashorn]
+e.eval(<<EOF
+try {
+    Java.type('jdk.nashorn.api.scripting.JSObject');
+} catch (ex) {
+    output(ex);
+}
+EOF);
--- a/nashorn/test/script/basic/JDK-8158467.js.EXPECTED
+++ b/nashorn/test/script/basic/JDK-8158467.js.EXPECTED
@ -0,0 +1,10 @@
+[JavaClass java.lang.System]
+42
+961
+hello Runnable
+33
+I'm object
+java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal")
+java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.misc")
+java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.nashorn.internal")
+java.lang.ClassNotFoundException: jdk.nashorn.api.scripting.JSObject