Re: [Jython-dev] Keywords: embedding, securty

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 11 Dec 2000 10:34:30 +0000, you wrote:

>Hi,
>I have an application using JPython as its script interpreter. One of
>the
>end-users thinks he has found a security hole. If he puts
>python.security.respectJavaAccessibilty=false in the registry, the
>python
>script would be able to change private fields of the embedding classes.
>This surely cannot be true, can it?

Yes it is true and it is a feature.

If you want to disable the feature, you can explicit set the registry
entry during initialization in your application. Below I use the
Date.fastTime private field as an example:

import java.util.*;
import org.python.core.*;
import org.python.util.*;

public class si {
    public static void main(String[] args) {
        Properties props = new Properties();
        props.setProperty("python.security.respectJavaAccessibility",
                           "true");

        PySystemState.initialize(System.getProperties(), props, 
                                 new String[] {""});
        PythonInterpreter interp = new PythonInterpreter();

        interp.exec("import java");
        interp.exec("d = java.util.Date()");
        interp.exec("print d.fastTime");
    }
}

regards,
finn