From efafd0219cb1eac0d16ac9342731b75499289fc3 Mon Sep 17 00:00:00 2001 From: kunfei Date: Wed, 14 Jun 2023 15:47:06 +0800 Subject: [PATCH 1/5] =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/script/rhino/RhinoClassShutter.kt | 12 +++++++++--- .../main/java/com/script/rhino/RhinoClassShutter.kt | 12 +++++++++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt b/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt index 330b7d391..05c9f7218 100644 --- a/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt +++ b/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt @@ -38,9 +38,15 @@ object RhinoClassShutter : ClassShutter { private val protectedClasses by lazy { val protectedClasses = HashMap() - protectedClasses["java.lang.Runtime"] = java.lang.Boolean.TRUE - protectedClasses["java.io.File"] = java.lang.Boolean.TRUE - protectedClasses["java.security.AccessController"] = java.lang.Boolean.TRUE + protectedClasses["java.lang.Runtime"] = true + protectedClasses["java.io.File"] = true + protectedClasses["java.security.AccessController"] = true + protectedClasses["java.nio.file.Paths"] = true + protectedClasses["java.nio.file.Files"] = true + protectedClasses["io.legado.app.data.AppDatabaseKt"] = true + protectedClasses["android.content.Intent"] = true + protectedClasses["androidx.core.content.FileProvider"] = true + protectedClasses["android.provider.Settings"] = true protectedClasses } diff --git a/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt b/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt index 726963b8e..8baa318ac 100644 --- a/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt +++ b/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt @@ -38,9 +38,15 @@ object RhinoClassShutter : ClassShutter { private val protectedClasses by lazy { val protectedClasses = HashMap() - protectedClasses["java.lang.Runtime"] = java.lang.Boolean.TRUE - protectedClasses["java.io.File"] = java.lang.Boolean.TRUE - protectedClasses["java.security.AccessController"] = java.lang.Boolean.TRUE + protectedClasses["java.lang.Runtime"] = true + protectedClasses["java.io.File"] = true + protectedClasses["java.security.AccessController"] = true + protectedClasses["java.nio.file.Paths"] = true + protectedClasses["java.nio.file.Files"] = true + protectedClasses["io.legado.app.data.AppDatabaseKt"] = true + protectedClasses["android.content.Intent"] = true + protectedClasses["androidx.core.content.FileProvider"] = true + protectedClasses["android.provider.Settings"] = true protectedClasses } From e20b90cf02ddfc6cbbae988f781881d00389e8b0 Mon Sep 17 00:00:00 2001 From: kunfei Date: Wed, 14 Jun 2023 16:07:45 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/src/main/assets/updateLog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/src/main/assets/updateLog.md b/app/src/main/assets/updateLog.md index 34047bdbe..9d9d40841 100644 --- a/app/src/main/assets/updateLog.md +++ b/app/src/main/assets/updateLog.md @@ -12,12 +12,13 @@ * 正文出现缺字漏字、内容缺失、排版错乱等情况,有可能是净化规则或简繁转换出现问题。 * 漫画源看书显示乱码,**阅读与其他软件的源并不通用**,请导入阅读的支持的漫画源! -**2023/06/11** +**2023/06/14** * 更新cronet: 114.0.5735.60 * 修复长按菜单全文搜索结果不全或无结果问题 * 优化全文搜索速度 * 修复正文页数太多时并行获取问题 +* 禁用js调用一些类防止一些恶意书源 * 其它一些优化 * 其中一些更新由 Xwite, Horis 提供 From 43d0d807e6930437110e7e891b124e282389f013 Mon Sep 17 00:00:00 2001 From: kunfei Date: Wed, 14 Jun 2023 16:08:19 +0800 Subject: [PATCH 3/5] =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/src/main/assets/updateLog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src/main/assets/updateLog.md b/app/src/main/assets/updateLog.md index 9d9d40841..1ba82d5dc 100644 --- a/app/src/main/assets/updateLog.md +++ b/app/src/main/assets/updateLog.md @@ -13,8 +13,8 @@ * 漫画源看书显示乱码,**阅读与其他软件的源并不通用**,请导入阅读的支持的漫画源! **2023/06/14** -* 更新cronet: 114.0.5735.60 +* 更新cronet: 114.0.5735.60 * 修复长按菜单全文搜索结果不全或无结果问题 * 优化全文搜索速度 * 修复正文页数太多时并行获取问题 From c04027de1e6f81e124cfa9792449816fbf4b0769 Mon Sep 17 00:00:00 2001 From: kunfei Date: Wed, 14 Jun 2023 16:43:04 +0800 Subject: [PATCH 4/5] =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/src/androidTest/java/io/legado/app/AndroidJsTest.kt | 8 +++++--- .../src/main/java/com/script/rhino/RhinoClassShutter.kt | 1 + .../src/main/java/com/script/rhino/RhinoClassShutter.kt | 1 + 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt b/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt index dfff5b529..3f75daddb 100644 --- a/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt +++ b/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt @@ -43,9 +43,11 @@ class AndroidJsTest { returnData.getErrorMsg() """.trimIndent() val result1 = RhinoScriptEngine.eval(js1) - Assert.assertEquals(result1, "未知错误,请联系开发者!").let { - - } + Assert.assertEquals(result1, "未知错误,请联系开发者!") + val js2 = """ + let intent = new android.content.Intent(android.content.Intent.ACTION_VIEW) + """.trimIndent() + RhinoScriptEngine.eval(js2) } @Test diff --git a/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt b/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt index 05c9f7218..657d18f87 100644 --- a/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt +++ b/modules/rhino1.7.3/src/main/java/com/script/rhino/RhinoClassShutter.kt @@ -38,6 +38,7 @@ object RhinoClassShutter : ClassShutter { private val protectedClasses by lazy { val protectedClasses = HashMap() + protectedClasses["java.lang.Class"] = true protectedClasses["java.lang.Runtime"] = true protectedClasses["java.io.File"] = true protectedClasses["java.security.AccessController"] = true diff --git a/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt b/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt index 8baa318ac..af4800d07 100644 --- a/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt +++ b/modules/rhino1.7.4/src/main/java/com/script/rhino/RhinoClassShutter.kt @@ -38,6 +38,7 @@ object RhinoClassShutter : ClassShutter { private val protectedClasses by lazy { val protectedClasses = HashMap() + protectedClasses["java.lang.Class"] = true protectedClasses["java.lang.Runtime"] = true protectedClasses["java.io.File"] = true protectedClasses["java.security.AccessController"] = true From 533bd502aab5610c4e948d9cc98815fd6af61564 Mon Sep 17 00:00:00 2001 From: kunfei Date: Wed, 14 Jun 2023 16:46:54 +0800 Subject: [PATCH 5/5] =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/src/androidTest/java/io/legado/app/AndroidJsTest.kt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt b/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt index 3f75daddb..78f60e93d 100644 --- a/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt +++ b/app/src/androidTest/java/io/legado/app/AndroidJsTest.kt @@ -44,8 +44,9 @@ class AndroidJsTest { """.trimIndent() val result1 = RhinoScriptEngine.eval(js1) Assert.assertEquals(result1, "未知错误,请联系开发者!") + @Language("js") val js2 = """ - let intent = new android.content.Intent(android.content.Intent.ACTION_VIEW) + let x = java.lang.Class.forName('android.app.ActivityThread') """.trimIndent() RhinoScriptEngine.eval(js2) }