6 Mar
2007
6 Mar
'07
6:57 p.m.
In several instances to date I have found that I can instantiate an
arbitrary Java class from a page (with programming rights) if it has a
default (i.e. no-parameters) constructor, since
java.lang.Class.newInstance() does the trick (where the Class object is
obtained by a reference to $xwiki.class).
However, to use a non-default constructor, one must use
java.lang.reflect.Constructor.newInstance(Object...). Every attempt to
do this has failed silently. Indeed, even calling
Class.getDeclaredConstructor(Class...) fails; the only way I've managed
to get a Constructor object is by looping through the results of
Class.getDeclaredConstructors() and picking the one that suits my needs.
No errors in logfiles, and so far I haven't even caught it in the act
while debugging it under Eclipse.
Two possibilities present themselves, though so far my investigation has
not yielded any result in either direction:
One is that I'm not passing the arguments correctly - in both cases, the
argument list is specified in the javadocs as "<typename>..." but in the
source, while the formal parameter is an array, other code actually
invokes it as a list, as in the case of a C varargs list. Regardless, I
can't invoke it successfully either with an array or with a list.
The other is Java permissions. Since the Constructor class is in the
java.lang.reflection package, and reflection is (I believe) a
potentially restricted operation, it may require changing the
java.security.Permission configuration. It looks like, for Tomcat,
that's accomplished by editing the catalina.policy file.
Anyone else have experience in this area? I know I can always create a
plugin to handle the necessary object creation, and I may eventually do
so anyway because granting the necessary permission to XWiki's libraries
may open it too widely, but for the moment, I'd rather not have to...
brain[sic]
6 Mar
6 Mar
7:14 p.m.
New subject: [xwiki-users] Instantiating arbitrary Java classes in XWiki pages
Hi Brian,
It really is forbidden to instantiate classes in Velocity. This is a
bug security hole. Starting with XWiki 1.0 Beta 5 we're preventing it
from happening by using a Secure Uberspector in Velocity's
configuration (this is now the default in Velocity BTW since Velocity
1.5). Of course you're free to change that config for your own wiki.
The recommended approach is to create Java methods for all APIs that
you need and then put these objects in the Velocity context so that
they can be called from velocity code.
Thanks
-Vincent
On Mar 6, 2007, at 6:57 PM, THOMAS, BRIAN M ((ATTSI)) wrote:
In several instances to date I have found that I can
instantiate an
arbitrary Java class from a page (with programming rights) if it has a
default (i.e. no-parameters) constructor, since
java.lang.Class.newInstance() does the trick (where the Class
object is
obtained by a reference to $xwiki.class).
However, to use a non-default constructor, one must use
java.lang.reflect.Constructor.newInstance(Object...). Every
attempt to
do this has failed silently. Indeed, even calling
Class.getDeclaredConstructor(Class...) fails; the only way I've
managed
to get a Constructor object is by looping through the results of
Class.getDeclaredConstructors() and picking the one that suits my
needs.
No errors in logfiles, and so far I haven't even caught it in the act
while debugging it under Eclipse.
Two possibilities present themselves, though so far my
investigation has
not yielded any result in either direction:
One is that I'm not passing the arguments correctly - in both
cases, the
argument list is specified in the javadocs as "<typename>..." but
in the
source, while the formal parameter is an array, other code actually
invokes it as a list, as in the case of a C varargs list.
Regardless, I
can't invoke it successfully either with an array or with a list.
The other is Java permissions. Since the Constructor class is in the
java.lang.reflection package, and reflection is (I believe) a
potentially restricted operation, it may require changing the
java.security.Permission configuration. It looks like, for Tomcat,
that's accomplished by editing the catalina.policy file.
Anyone else have experience in this area? I know I can always
create a
plugin to handle the necessary object creation, and I may
eventually do
so anyway because granting the necessary permission to XWiki's
libraries
may open it too widely, but for the moment, I'd rather not have to...
brain[sic]
--
You receive this message as a subscriber of the xwiki-
users(a)objectweb.org mailing list.
To unsubscribe: mailto:xwiki-users-unsubscribe@objectweb.org
For general help: mailto:sympa@objectweb.org?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/
wws
10:40 p.m.
New subject: [xwiki-users] Instantiating arbitrary Java classes in XWiki pages
It really is forbidden to instantiate classes in
Velocity. This is a
bug security hole.
By this I presume that you mean that I shouldn't even have been able to
use java.lang.Class.newInstance(); is this correct?
brain[sic]
10:55 p.m.
New subject: [xwiki-users] Instantiating arbitrary Java classes in XWiki pages
On Mar 6, 2007, at 10:40 PM, THOMAS, BRIAN M ((ATTSI)) wrote:
yep :)
-Vincent
It really is forbidden to instantiate classes in
Velocity. This is a
bug security hole.
By this I presume that you mean that I shouldn't even have been
able to
use java.lang.Class.newInstance(); is this correct? 
10:57 p.m.
New subject: [xwiki-users] Instantiating arbitrary Java classes in XWiki pages
On 3/6/07, THOMAS, BRIAN M (ATTSI) <bt0008(a)att.com> wrote:
Not since yesterday (1.0 beta5 release). Up to beta4, yes, you could have
done it.
brain[sic]
It really is forbidden to instantiate classes in
Velocity. This is a
bug security hole.
By this I presume that you mean that I shouldn't even have been able to
use java.lang.Class.newInstance(); is this correct?
--
http://purl.org/net/sergiu
6457
days inactive
6457
days old
4 comments
3 participants
participants (3)
-
Sergiu Dumitriu -
THOMAS, BRIAN M (ATTSI) -
Vincent Massol