Instantiating arbitrary Java classes in XWiki pages
In several instances to date I have found that I can instantiate an arbitrary Java class from a page (with programming rights) if it has a default (i.e. no-parameters) constructor, since java.lang.Class.newInstance() does the trick (where the Class object is obtained by a reference to $xwiki.class). However, to use a non-default constructor, one must use java.lang.reflect.Constructor.newInstance(Object...). Every attempt to do this has failed silently. Indeed, even calling Class.getDeclaredConstructor(Class...) fails; the only way I've managed to get a Constructor object is by looping through the results of Class.getDeclaredConstructors() and picking the one that suits my needs. No errors in logfiles, and so far I haven't even caught it in the act while debugging it under Eclipse. Two possibilities present themselves, though so far my investigation has not yielded any result in either direction: One is that I'm not passing the arguments correctly - in both cases, the argument list is specified in the javadocs as "<typename>..." but in the source, while the formal parameter is an array, other code actually invokes it as a list, as in the case of a C varargs list. Regardless, I can't invoke it successfully either with an array or with a list. The other is Java permissions. Since the Constructor class is in the java.lang.reflection package, and reflection is (I believe) a potentially restricted operation, it may require changing the java.security.Permission configuration. It looks like, for Tomcat, that's accomplished by editing the catalina.policy file. Anyone else have experience in this area? I know I can always create a plugin to handle the necessary object creation, and I may eventually do so anyway because granting the necessary permission to XWiki's libraries may open it too widely, but for the moment, I'd rather not have to... brain[sic]
Hi Brian, It really is forbidden to instantiate classes in Velocity. This is a bug security hole. Starting with XWiki 1.0 Beta 5 we're preventing it from happening by using a Secure Uberspector in Velocity's configuration (this is now the default in Velocity BTW since Velocity 1.5). Of course you're free to change that config for your own wiki. The recommended approach is to create Java methods for all APIs that you need and then put these objects in the Velocity context so that they can be called from velocity code. Thanks -Vincent On Mar 6, 2007, at 6:57 PM, THOMAS, BRIAN M ((ATTSI)) wrote:
In several instances to date I have found that I can instantiate an arbitrary Java class from a page (with programming rights) if it has a default (i.e. no-parameters) constructor, since java.lang.Class.newInstance() does the trick (where the Class object is obtained by a reference to $xwiki.class).
However, to use a non-default constructor, one must use java.lang.reflect.Constructor.newInstance(Object...). Every attempt to do this has failed silently. Indeed, even calling Class.getDeclaredConstructor(Class...) fails; the only way I've managed to get a Constructor object is by looping through the results of Class.getDeclaredConstructors() and picking the one that suits my needs. No errors in logfiles, and so far I haven't even caught it in the act while debugging it under Eclipse.
Two possibilities present themselves, though so far my investigation has not yielded any result in either direction:
One is that I'm not passing the arguments correctly - in both cases, the argument list is specified in the javadocs as "<typename>..." but in the source, while the formal parameter is an array, other code actually invokes it as a list, as in the case of a C varargs list. Regardless, I can't invoke it successfully either with an array or with a list.
The other is Java permissions. Since the Constructor class is in the java.lang.reflection package, and reflection is (I believe) a potentially restricted operation, it may require changing the java.security.Permission configuration. It looks like, for Tomcat, that's accomplished by editing the catalina.policy file.
Anyone else have experience in this area? I know I can always create a plugin to handle the necessary object creation, and I may eventually do so anyway because granting the necessary permission to XWiki's libraries may open it too widely, but for the moment, I'd rather not have to...
brain[sic]
-- You receive this message as a subscriber of the xwiki- [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/ wws
It really is forbidden to instantiate classes in Velocity. This is a bug security hole.
By this I presume that you mean that I shouldn't even have been able to use java.lang.Class.newInstance(); is this correct? brain[sic]
On Mar 6, 2007, at 10:40 PM, THOMAS, BRIAN M ((ATTSI)) wrote:
It really is forbidden to instantiate classes in Velocity. This is a bug security hole.
By this I presume that you mean that I shouldn't even have been able to use java.lang.Class.newInstance(); is this correct?
yep :) -Vincent
On 3/6/07, THOMAS, BRIAN M (ATTSI) <[email protected]> wrote:
It really is forbidden to instantiate classes in Velocity. This is a bug security hole.
By this I presume that you mean that I shouldn't even have been able to use java.lang.Class.newInstance(); is this correct?
Not since yesterday (1.0 beta5 release). Up to beta4, yes, you could have done it. brain[sic]
--
participants (3)
-
Sergiu Dumitriu -
THOMAS, BRIAN M (ATTSI) -
Vincent Massol