Make sure that returned Closure objects are invoked in the AccessController context

This commit is contained in:
Reinhard Pointner 2017-01-16 15:11:34 +08:00
parent 7955d1bf6e
commit 2ba160c00d
1 changed files with 13 additions and 2 deletions

View File

@ -15,6 +15,7 @@ import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.util.PropertyPermission;
import java.util.concurrent.Callable;
import java.util.logging.LoggingPermission;
import javax.script.CompiledScript;
@ -76,13 +77,23 @@ public class SecureCompiledScript extends CompiledScript {
}
@Override
public Object eval(final ScriptContext context) throws ScriptException {
public Object eval(ScriptContext context) throws ScriptException {
try {
return AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws ScriptException {
return compiledScript.eval(context);
Object value = compiledScript.eval(context);
if (value instanceof Callable<?>) {
try {
return ((Callable<?>) value).call();
} catch (Exception e) {
throw new ScriptException(e);
}
}
return value;
}
}, sandbox);
} catch (PrivilegedActionException e) {