The latest security breach in Java7, where a applet can execute untrusted code on users machine. More information is available at http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html.
But the question I have is: It is mentioned that all this is possible due to the execute() method introduced in Expression class. But there is nothing special that it does, which was not possible in previous versions. Here is the source:
#Override
public void execute() throws Exception {
setValue(invoke());
}
and for getValue() which exists since java1.4:
public Object getValue() throws Exception {
if (value == unbound) {
setValue(invoke());
}
return value;
}
getValue() does everything that execute() does. Then why so much fuss about the execute method??
If you look closely, the exploit code also calls .getValue(). Clearly, the vulnerability lies within invoke. execute is essentially a public interface to call the private invoke.
I reported a bug several years ago where the access checking in Expression isn't identical to the compiler's. Possibly this is another example.
Related
Suppose I have this piece of code
public String userName(){
//Retrofit setup here
MyAPI service = retrofit.create(MyAPI.class);
Call<Users> call = service.getUser();
call.enqueue(new Callback<>() {
#Override
public void onResponse(Call<Users> call, Response<Users> response) {
//suppose I get what I want here:
response.body().getUserName();
}
#Override
public void onFailure(Call<Users> call, Throwable throwable) {
//let's just say we return "User not found" onFailure
}
});
//return statement here
}
Is there a way I can have the String return statement of the userName() method in lambda expression? If not, what's the simplest way (with minimal amounts of processing) I can use to achieve this.
Retrofit has a isExecuted method for calls so I was thinking about using that in a while loop. But I just wanted to know if there's an easier way to do it before I proceed.
Thank you.
No, that is not possible. enqueue means: Do this asynchronously. As in, not now, later.
Where you wrote return statement here? That runs before the onResponse/onFailure methods do, so you can't 'move' the return statement there - your method must return (and therefore, know what to return) before the place where you want the return statement to be has even run, which makes that impossible.
This is the problem with asynchronous API: They suck to code against. This is what people are talking about when you say 'callback hell': You need to redesign all your code so that this method needs to return nothing; instead, all code that would act upon the return value needs to be packed up in a lambda and shipped to this method, so that you can invoke that lambda (and pass the thing you want to return, such as "User not found", as parameter instead).
There are probably ways to not use enqueue here, I'd look at that first.
We are working with Apache Flink streaming framework lately which is very nice. Nevertheless, in the documentation we stumbled across some Java thing that I haven't seen before, this class
public class MyMapper extends RichMapFunction<String, Integer> {
private Counter counter;
#Override
public void open(Configuration config) {
this.counter = getRuntimeContext()
.getMetricGroup()
.counter("myCounter");
}
#public Integer map(String value) throws Exception {
this.counter.inc();
}
}
What does the #public mean ont the map method and what's even more interesting why isn't there are return declared in the method although the return type is defined as Integer?
Or is this simply some issue in their documentation?
Here is the page as reference Flink Docu
This seems to be an issue with the documentation.
The # in #public is not correct and should be removed, i.e., this should be the Java keyword public. The #Public annotation mentioned in another answer is not supposed to be used in user code but just in Flink's public interfaces.
The documentation page is about how to use metrics, so the author probably focused on the call to update the metric and forgot the return value of the map() method.
It would be great if you could open a JIRA issue to report the faulty docs. Thanks!
I'm trying to ensure that my Rhino scripts (running under Java 6) are strict so that if a script developer misspells an expression I want an exception to be thrown. Currently what happens is the expression simply evaluates to "undefined".
Now according to Mozilla org https://developer.mozilla.org/en/New_in_Rhino_1.6R6 there are features to enable strict checking in the context. I cannot find a working example of this.
What I did so far was write a class to extend ContextFactory and then override the hasFeature method.
public class ScriptContextFactory extends ContextFactory {
protected boolean hasFeature(Context context, int featureIndex) {
switch (featureIndex) {
case Context.FEATURE_STRICT_EVAL:
return true;
case Context.FEATURE_STRICT_VARS:
return true;
}
return super.hasFeature(context, featureIndex);
}
}
Then in the Main I set mine to the default.
ContextFactory.initGlobal(new ScriptContextFactory());
and I get an illegal state exception. :(
Any ideas or samples on how this works?
TIA
If you are doing Context.enter() before calling initGlobal() try reversing the order.
I have this code that allows to execute functions in a separate thread if "Asynch" annotation is present on them. Everything works fine, except for the day when I realized I also have to handle return value for some new functions that I've just added. I could use handlers and message-passing for this, but, due to already built project structure(which is huge and working fine), I can't change the existing functions to work with message passing.
Here's the code:
/**
* Defining the Asynch interface
*/
#Retention(RetentionPolicy.RUNTIME)
public #interface Asynch {}
/**
* Implementation of the Asynch interface. Every method in our controllers
* goes through this interceptor. If the Asynch annotation is present,
* this implementation invokes a new Thread to execute the method. Simple!
*/
public class AsynchInterceptor implements MethodInterceptor {
public Object invoke(final MethodInvocation invocation) throws Throwable {
Method method = invocation.getMethod();
Annotation[] declaredAnnotations = method.getDeclaredAnnotations();
if(declaredAnnotations != null && declaredAnnotations.length > 0) {
for (Annotation annotation : declaredAnnotations) {
if(annotation instanceof Asynch) {
//start the requested task in a new thread and immediately
//return back control to the caller
new Thread(invocation.getMethod().getName()) {
public void execute() {
invocation.proceed();
}
}.start();
return null;
}
}
}
return invocation.proceed();
}
}
Now, how can i convert it so that if its something as:
#Asynch
public MyClass getFeedback(int clientId){
}
MyClass mResult = getFeedback(12345);
"mResult" gets updated with the returned value?
Thanx in advance...
You can't, fundamentally. getFeedback has to return something in a synchronous way - and while in some cases you could update the returned object later on, in other cases you clearly couldn't - immutable classes like String are obvious examples. You can't change the value of the variable mResult later... it's quite possibly a local variable, after all. Indeed, by the time the result has been computed the method in which it was used may have completed... using a bogus value.
You're not going to be able to get clean asynchrony by just adding annotations on top of a synchronous language. Ideally, an asynchronous operation should return something like a Future<T> to say "at some point later, there'll be a result" - along with ways of finding out what that result is, whether it's been computed or not, whether there was an exception etc. This sort of thing is precisely why async/await was added in C# 5 - because you can't just do it transparently at the library level, even with AOP. Writing asynchronous code should be a very deliberate decision - not just something which is bolted onto synchronous code via an annotation.
I'm trying to ensure that my Rhino scripts (running under Java 6) are strict so that if a script developer misspells an expression I want an exception to be thrown. Currently what happens is the expression simply evaluates to "undefined".
Now according to Mozilla org https://developer.mozilla.org/en/New_in_Rhino_1.6R6 there are features to enable strict checking in the context. I cannot find a working example of this.
What I did so far was write a class to extend ContextFactory and then override the hasFeature method.
public class ScriptContextFactory extends ContextFactory {
protected boolean hasFeature(Context context, int featureIndex) {
switch (featureIndex) {
case Context.FEATURE_STRICT_EVAL:
return true;
case Context.FEATURE_STRICT_VARS:
return true;
}
return super.hasFeature(context, featureIndex);
}
}
Then in the Main I set mine to the default.
ContextFactory.initGlobal(new ScriptContextFactory());
and I get an illegal state exception. :(
Any ideas or samples on how this works?
TIA
If you are doing Context.enter() before calling initGlobal() try reversing the order.