On Mon, 11 Dec 2000 10:34:30 +0000, you wrote:
>Hi,
>I have an application using JPython as its script interpreter. One of
>the
>end-users thinks he has found a security hole. If he puts
>python.security.respectJavaAccessibilty=false in the registry, the
>python
>script would be able to change private fields of the embedding classes.
>This surely cannot be true, can it?
Yes it is true and it is a feature.
If you want to disable the feature, you can explicit set the registry
entry during initialization in your application. Below I use the
Date.fastTime private field as an example:
import java.util.*;
import org.python.core.*;
import org.python.util.*;
public class si {
public static void main(String[] args) {
Properties props = new Properties();
props.setProperty("python.security.respectJavaAccessibility",
"true");
PySystemState.initialize(System.getProperties(), props,
new String[] {""});
PythonInterpreter interp = new PythonInterpreter();
interp.exec("import java");
interp.exec("d = java.util.Date()");
interp.exec("print d.fastTime");
}
}
regards,
finn
|
