Enterprise 3.x
  1. Enterprise 3.x
  2. ETHREEOH-2760

Request for the XML object to be removed from the this.secureScope

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1
    • Fix Version/s: 3.2
    • Component/s: None
    • Security Level: external (External user)
    • Labels:
      None

      Description

      As per ACT 10732:

      org.alfresco.repo.jscript.executeScriptImpl takes a parameter secure that defines whether the nonSecureScope or the secureScope is used.

      Basically this decides what shared scope it uses. If it's a repository script it uses this.secureScope if not this.nonSecureScope, our problem with it is that the root object XML is in the this.secureScope object so if you make a change to that object i.e.

      XML.ignoreWhitespace = false;

      It changes the XML object value for all repository scripts and more importantly executing repository scripts. As you can imagine this causes untold havok though out the system as repository scripts who have set the XML object to one value find later that value has been changed

      We need the XML object to be removed from the this.secureScope if possible or a better solution that can fix this problem!

      Reproduced in-house as per steps below.

      So to reproduce:

      Write ascripts they need to be in the same script location i.e. data dictionary/scripts (so they use the same scope see org.alfresco.service.cmr.repository.ScriptLocation.isSecure( )) - Use scripts attached
      Have one script set 'XML.ignoreWhitespace = false;' and the other set 'XML.ignoreWhitespace = true;'.
      Execute the first and break in the debugger.
      Step over the line and then check the XML ignoreWhitespace value it should be 'false'.
      Leave the debugger paused and execute the second script.
      Once it has finished recheck the value in the debugger and it will be 'true'.
      1. script1.js
        0.0 kB
        Ricardo Vellozo
      2. script2.js
        0.6 kB
        Ricardo Vellozo

        Issue Links

          Activity

          Hide
          dward added a comment -
          I suggest that in org.alfresco.repo.jscript.RhinoScriptProcessor.afterPropertiesSet() we call cx.initStandardObjects(null, true) and new ImporterTopLevel(cx, true) in order to make the shared scopes 'sealed' and immutable. What do you think? It would be a shame to have to init the standard objects every time.

          See https://developer.mozilla.org/en/Rhino/Scopes_and_Contexts#Sealed_shared_scopes
          Show
          dward added a comment - I suggest that in org.alfresco.repo.jscript.RhinoScriptProcessor.afterPropertiesSet() we call cx.initStandardObjects(null, true) and new ImporterTopLevel(cx, true) in order to make the shared scopes 'sealed' and immutable. What do you think? It would be a shame to have to init the standard objects every time. See https://developer.mozilla.org/en/Rhino/Scopes_and_Contexts#Sealed_shared_scopes
          Hide
          Kevin Roast added a comment -
          OK i can make that change - FYI it will mean that: No standard library objects objects in the root scope can be modified at all. This is good but will break the example above, i.e. XML.ignoreWhitespace = false; will FAIL with an exception.

          The solution to that is if a script requires modification to a standard library object, then it should deep copy it for personal use, here is an example that fixes the above example when running against the fixed 3.2E codeline:


          function main()
          {
             var xml = deepCopy(XML);
             xml.ignoreWhitespace = false;
             return xml.ignoreWhitespace;
          }

          function deepCopy(p,c) {
          var c = c||{};
          for (var i in p) {
            if (typeof p[i] === 'object') {
              c[i] = (p[i].constructor === Array)?[]:{};
              deepCopy(p[i],c[i]);
            } else c[i] = p[i];}
          return c;
          }

          main();
          Show
          Kevin Roast added a comment - OK i can make that change - FYI it will mean that: No standard library objects objects in the root scope can be modified at all. This is good but will break the example above, i.e. XML.ignoreWhitespace = false; will FAIL with an exception. The solution to that is if a script requires modification to a standard library object, then it should deep copy it for personal use, here is an example that fixes the above example when running against the fixed 3.2E codeline: function main() {    var xml = deepCopy(XML);    xml.ignoreWhitespace = false;    return xml.ignoreWhitespace; } function deepCopy(p,c) { var c = c||{}; for (var i in p) {   if (typeof p[i] === 'object') {     c[i] = (p[i].constructor === Array)?[]:{};     deepCopy(p[i],c[i]);   } else c[i] = p[i];} return c; } main();
          Hide
          Kevin Roast added a comment -
          CHK-10397
          Show
          Kevin Roast added a comment - CHK-10397
          Hide
          Steve Rigby added a comment -
          For retest in b260 or later
          Show
          Steve Rigby added a comment - For retest in b260 or later
          Hide
          Alfresco QA Team added a comment -
          We have tested as it is listed in description:

          1. We have added attached scripts to Data Dictionary/scripts;
          2. Opened Javascript debugger;
          3. Executed first script ("script1.js"), which set "false" value to XML.ignoreWhitespace;
          4. In Javascript debugger step over the line XML.ignoreWhitespace = false --> exception appears: org.mozilla.javasript.EvaluatorException: Cannot modify a property of a sealed object: ignoreWhitespace. (workspace://SpaceStore/4f6e284f-13b7-4d8b-a811-49b9ecd9536#1).

          The same error appears in debugger and UI when trying to execute the second script with the line XML.ignoreWhitespace = true.

          Note: value of XML.ignoreWhitespace was always set to "true" and not changed after trying to execute scripts.
          Show
          Alfresco QA Team added a comment - We have tested as it is listed in description: 1. We have added attached scripts to Data Dictionary/scripts; 2. Opened Javascript debugger; 3. Executed first script ("script1.js"), which set "false" value to XML.ignoreWhitespace; 4. In Javascript debugger step over the line XML.ignoreWhitespace = false --> exception appears: org.mozilla.javasript.EvaluatorException: Cannot modify a property of a sealed object: ignoreWhitespace. ( workspace://SpaceStore/4f6e284f-13b7-4d8b-a811-49b9ecd9536#1 ). The same error appears in debugger and UI when trying to execute the second script with the line XML.ignoreWhitespace = true. Note: value of XML.ignoreWhitespace was always set to "true" and not changed after trying to execute scripts.
          Hide
          Kevin Roast added a comment -
          The exception is now expected and correct - please read the comments above.
          Show
          Kevin Roast added a comment - The exception is now expected and correct - please read the comments above.

            People

            • Assignee:
              Closed Bugs
              Reporter:
              Ricardo Vellozo
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: