beanshell security issues

SpiritWolf · August 10, 2005, 8:40pm

Hello everyone.

I’m working on an extendable online game. I want to ship a map editor and a scripting language along with the game but I’m not sure if I should make my own scripting language or use something like beanshell. Normally I would just use beanshell and forget making something like a scripting language myself, but if people will be downloading other peoples scripts then someone could create a script that deletes for example the c drive on windows, is this possible? Is there a switch in beanshell I can turn on to disable possibly dangerous programming?

Any help would be greatly apprechiated.

blahblahblahh · August 10, 2005, 8:42pm

By a million miles you should ask this on the beanshell mailing list, you’ll get a much better and more detailed answer directly from the author.

The short answer is that you can do some things, and there are outstanding plans to be able to do more, but that for the time being to a large extent you can’t stop people from screwing around.

SpiritWolf · August 11, 2005, 12:23am

Thanks for the reply. As for using beanshell I think I might hold off on it for now, I might use it as a place holder before I make my own scripting language. It might be a good excercise to make a scripting language and possibly a little easier for a less experienced person to use.

blahblahblahh · August 13, 2005, 1:08pm

Ah…that sounds unlikely; bsh is pretty darn easy to use. It’s a stereotype that programemrs like to write their own languages rather than re-use better ones already available. There are good reasons for not using bsh (e.g. performance issues - don’t use it to drive something that is part of your game-loop!), but how is your language going to be at: documentation, tutorials, support mailing lists, example code, chat-channel support, testing + bugfixing?

SpiritWolf · August 20, 2005, 1:55am

It would be really nice if java supported a feature where you could turn on a safemode switch and then execute a beanshell script or use reflection, that way you could have all the flexibility (and speed if your using reflection) and the safety of a homemade scripting language… I think applets do something like this where they run in the ‘sandbox’ or something… I wonder if there’s any libraries that give you that feature? Or could I enable the ‘sandbox’ in my application, is that possible?

kevglass · August 20, 2005, 8:42am

You need to install a SecurityManager implementation class. You can control some of the stuff you want to do that way.

Kev