2.0b4 Release. May 27, 2005.

Announcement - BeanShell 2.0b1

------------------------------

After several months of intense work I am pleased to announce the first
beta
release of BeanShell 2.0.  With version 2.0 BeanShell becomes a fully
Java
compatible scripting language.  BeanShell is now capable of interpreting
ordinary Java source and loading .java source files from the class path.
Although this code is still in beta I have been able to execute almost
all of
the 165 example programs from my book (Learning Java, O'Reilly &
Associates)
without modification as well as BeanShell's own ClassBrowser.java file.
The additional code to make this possible adds only about 30K to the
size
of the package and the core minimal language distribution without class
support
remains less than 150K.

BeanShell scripted classes are fully typed and appear to outside Java
code and
via reflective inspection as ordinary classes.  However their
implementation is
fully dynamic and they may include arbitrary BeanShell scripts in their
bodies,
methods, and constructors.  Users may now freely mix loose, unstructured
BeanShell scripts, method closures, and full scripted classes.
BeanShell
scripted classes are "bound" in the script namespace in which they are
declared
and so can freely refer to other scripted items such as scripted
methods,
commands, and "global" variables of the script. e.g.

    // MyScript.bsh
    count = 5;

    class HelloWorld extends Thread {
        public void run() {
           for(i=0; i<count; i++)
              print("Hello World!");
        }
    }

    new HelloWorld().start();

All methods and constructors of the scripted classes delegate to the
BeanShell
interpreter at runtime and all typed variables appear as true class
members.
Loosely typed variables and methods may still be used inside the class
but are
strictly private to the class body.

Previous limitations on the implementation of anonymous inner classes
have also
been lifted, allowing BeanShell to extend arbitrary Java classes and
implement
abstract base classes.

BeanShell 2.0 also brings with it two new language features:

JDK 1.5 style static class imports.  You can import the static methods
and
fields of a java Class into a BeanShell namespace. e.g.

    static import java.lang.Math.*;
    sqrt(4.0);

Instance object imports (mix-ins) with the importObject() command.  You
can
import the methods and fields of a Java object instance into a BeanShell
namespace.  e.g.

    Map map = new HashMap();
    importObject( map );
    put("foo", "bar");
    print( get("foo") ); // "bar"

Changes from 0.96 to 1.0

Not necessarily in order of importance

    Added generalized support for scripts implementing interfaces (e.g.
arbitrary event listeners). This uses the important new JDK1.3
reflection proxy mechanism to manufacture a proxy interface at run time.
No code generation is necessary!
        Added support to the cast operation to use the new mechanism.
        Added support for automatic conversion to interface on method
selection. e.g. if you attempt to pass a bsh scripted object as a method
argument where the method signature calls for an interface an automatic
cast to the appropriate interface type will be attempted.
        Added a magic method invoke(method,args) which can be used to
handle method invocations on undefined interface methods in bsh objects.
This takes the place of "dummy" adapters; allowing a script to ignore
one or more methods of an interface that it is implementing. Note: one
special case - direct invocations within scope (e.g. command
invocations) are not currently sent to invoke.
    Added startup file (.rc file) support. Bsh will source the file
"user.home"/.bshrc upon startup. This defaults to C:\Windows under win98
and $HOME under Unix. (can the home be set with an env var under Win?
"home" doesn't seem to do it).
    Added arguments to file invocation on command line. e.g.

     java bsh.Interpreter MyClass foo bar

    Args are accessible through the root bsh object: String [] bsh.args
    Enhancements to JConsole submitted by Daniel Leuck; Added color and
image support, fixed several bugs.
    Added support for inner classes. This should all work as expected,
but it's new so let me know if you find weirdness.
        Added support for inner classes to import statement.
    Changed the way eval()/source() handle script errors. Instead of
returning the error object as a value it is now wrapped up with some
context and rethrown as an EvalError. So you can simply catch the error
with a normal try/catch block if you want to. Previously errors in
sourced/eval'd files were being squelched. This was bad. Note:
exceptions generated by the script or through code called by the script
are thrown as TargetErrors (a subclass of EvalError) which can also be
caught and examined.
    Improved error reporting in many areas. Fixed really annoying error
reporting bug that squelched target error info in sourced files (and
commands).
    Improved bsh cast operation so that it throws standard
ClassCastException for invalid cast. You can now guard against them with
the ordinary try/catch in a bsh script.
    Modified the command line portion of the grammar to accept arbitrary
expressions. e.g. you can type ``5*2;'' or ``foo instanceof Foo;'' on
the command line now without any enclosing parens. (Of course you won't
see anything unless you're using the show() option).
    Removed the old AWT version of the GUI console. If you need it you
can get it on the web site separately. I may reconsider this.
    Removed the console() command which was primarily for the old AWT
console.
    Modified the browseClass() command to take an object instead of a
string class name. Now you can simple say browseClass( someObject ) and
pop up the class browser to the correct place. Special hack: If the
specified object is a Class it will use the class. This will all
probably be replaced by a general browse() method for the upcoming
object inspector.
    Changed the return type of the frame() command to allow it to return
an internal frame when desktop is active. Frame will now do the correct
thing whether the desktop is up or not.
    Rebuilt the distribution with JavaCC / JJTree version 1.1. Haven't
notice any difference yet.
    Fixed the 'for' scoping bug - See docs on for scoping for
clarification. Previously variables declared within the for-init section
were leaking out into the outer namespace.
    Fixed a bug in which tokenizer errors would cause the interpreter to
hang or exit. They are now handled like other parsing errors. In the
future we may want to break them out so that they can be handled
separately from EvalError.
    Added missing += form of string concatenation.
    Incorporated a patch and test suite case from Roger Bolsius that
corrects some of the package / hidden reflected class access. Previously
the code did not handle the more difficult cases.
    Incorporated a patch from Mike Woolley which works around JDK bug
4071281 (EOF problem) under Windows JDK v1.1.
    Fixed most of the bugs in server mode. Run the server pair (httpd /
sessiond) using the server( port ) command. Then you can telnet to
port+1 or attach your web browser to port. Note that the web browser
must support swing to run the remote JConsole. We could supply the
AWTConsole back for compatability with old browsers... but I'd like to
move on.
    Internal trivia - changed the prefix of the names of all of the
parser node classes from AST to BSH.
    Fixed a bug which caused ClassCastException during (ironically) a
bsh cast operation.
    Improved the test harness slightly and added a number of new files
to the test suite for all of the new features. Please send more test
cases for the test suite!
    Internal change: Simplified the code that determines array base
types.
    Fixed bug where special characters on input (e.g. control charcters
^D) would cause the tokenizer to loop on errors. Non printable chars are
now skipped as white space.
    Added the missing do-while statement
    Internal: Tightened up the code a bit by combining the BSH node
conditional evaluation into one place.
    Fixed some race conditions in the JConsole. Fixed multi-writer
console problems.
    Fixed order of evaluation bugs: classes now always first, then bsh
vars. Note: this may not always be desireable. e.g. if you have a class
named "x" in your path (violating the common naming conventions) then
you can't use a variable of name 'x' in your scripts. Conversely though,
it prevents one from doing "Integer = 5;" and shadowing the
java.lang.Integer class with a variable name. Any thoughts on this?
    Corrected handling of the bsh root object.
    Added a menu item to console to redirect stdin/stdout/stderr. If you
close the console they are restored to the original System.in,out,err.

BeanShell 2.0b6

BeanShell 2.0b6 is a security update that is functionally equivalent to the previous version 2.0b5. No other functionality has changed since 2.0b5.

This is a **recommended update** for all BeanShell users, as it fixes a remote code execution vulnerability.

This release fixes a remote code execution vulnerability that was identified in BeanShell by [Alvaro Muñoz](https://twitter.com/pwntester) and [Christian Schneider](https://twitter.com/cschneider4711). The BeanShell team would like to thank them for their help and contributions to this fix!

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses [Java serialization](https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html) or [XStream](http://x-stream.github.io/) to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on [Java serialization security](http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8),  [XStream security](http://x-stream.github.io/security.html) and [How to secure deserialization from untrusted input without using encryption or sealing](http://www.ibm.com/developerworks/library/se-lookahead/).

A [CVE number](http://cve.mitre.org/cve/) will be requested.

BeanShell is licensed under the [Apache License, version 2.0](http://www.apache.org/licenses/LICENSE-2.0). See the file LICENSE for details, and the NOTICE file for required attributions.

SHA1 checksums for this release:

```
fb418f9b33a0b951e9a2978b4b6ee93b2707e72f  bsh-2.0b6.jar
275c867ca3aabc509d0a58ddf0bbd184bdcd38c8  bsh-bsf-2.0b6.jar
4b06123a1ef1bd4902a0f98e726d031e464a624f  bsh-classgen-2.0b6.jar
43f16d2f87254bf1c070f59be3bf87eeaf586f5b  bsh-classpath-2.0b6.jar
89e20b12ef604103a4b8b7854ece29659ea34103  bsh-commands-2.0b6.jar
67504d1544d29e17fa3e81b08fe045296264f48f  bsh-core-2.0b6.jar
aaae80a54fe32c7c5cb616b5d577890fb8d9cbe6  bsh-engine-2.0b6.jar
b7586bb3a7e2adfe1b6090625a886da8bd252369  bsh-reflect-2.0b6.jar
ede153857e4438b092c69db93c9c07cd4071cf1d  bsh-util-2.0b6.jar
7336b2d1ace24214b557993a66ec99636eee2318  bsh-2.0b6-javadoc.zip
76497846de1f3d2ef438d79e31328107658d10be  bsh-2.0b6-src.zip
ef6b86a126ae192d8639af6f5b3dbe5d4c6d7dde  bsh-2.0b6.pom
```

sha512:

```
a39321a99a8a619a48b65752f6ee6b8f11d3b28ebb051082ec70a70a0d5041e83d144378df191929e3d6562bd5ee4c4f1ccadb0ba42055529d18800a41d8ae18  bsh-2.0b6.jar
fbbff46b0248fa668e32cf42214e7e66d4fe2ad6bc29834a769e933c855461dc5fa8ff34a0c7f8551d1fd216f9321949fdf98a7e5f0ea31237201dcfdb8bc4a4  bsh-bsf-2.0b6.jar
670fdf60ea81d6ed82aea235b9bb34b699ba8bcf24bdff84de7b8428759aecbac21685057688808fe5c88bddcd6a11269a3c4208ea3b518957f9abfe876530f2  bsh-classgen-2.0b6.jar
d7eeeab6287c4473ec8ea6bdef7c5fe4b688e6065f04b6921335ffed6e85a05a4ac82846fbfec55714c33e28cbe488e610f7eb7eb4629843f597af00b0375380  bsh-classpath-2.0b6.jar
59ac6b109aa38c68094e720f6c44bc0b286d06085cfcdc67fda093dc2afdce286689d618c3010a312b428d57941255e2607dd097f718d848c6249c3c79c7b774  bsh-commands-2.0b6.jar
cba855e8dacc2322d25dc153639afcf3c14dc4428797add76847868c3e73f0accc5ed68f95af4ac2b42084474bdabc4944f79297060c7636154fa07ceff33cc3  bsh-core-2.0b6.jar
a4abf59778dc10230acf89cb0e3b395fedbc3998392ab3278de158f0881c98e08aa48286d0241f897cc1c17fbdd0b656c0f98ee36d1e736a31c5c2106470daf9  bsh-engine-2.0b6.jar
f99ea38314eb5c9834abbc3e7134e4b770b87fee7b4827dd50635907eee0cd3df0e80a526280699848a5f0dcb23bc715818164d466f199b04167aed86e823864  bsh-reflect-2.0b6.jar
d758c743632d659e97d21773d97b0da22906ae29ab10792ec7a7969a0bc532f500caeeb23c1dba786b84c4b8d22946e00dbb500c41d346d85de333564f77d8fc  bsh-util-2.0b6.jar
8632a8f59dd8cf87eece6d84ca3c883952b6e40d3f0038b48967c708f9cc7731b978f675284a47e2ca616832615956e67d879f0c6108be462d4447a2d575789c  bsh-2.0b6-javadoc.zip
a04eca6a57807358bd4f8d017a2eeaa58403ef51fab11fc46ab089113a0ff5f66aaa793d3fc57b484334cbf51ed388a90d8d72d1e5819c8248cc0113ac928a77  bsh-2.0b6-src.zip
52f4d03510691259ee13799726ee18b31255dbfdef1b46ff3b82e7fc065021d0b391772804b201380366c2cbd23392f6ec1ba50d9d5cf15c9becaae331fba1c6  bsh-2.0b6.pom
```

This release will also be distributed to [Maven Central](http://central.maven.org/maven2/org/apache-extras/beanshell/bsh/). Usage:

```xml
    <dependencies>
       <dependency>
         <groupId>org.apache-extras.beanshell</groupId>
         <artifactId>bsh</artifactId>
         <version>2.0b5</version>
       </dependency>
    </dependencies>
```

To execute the Beanshell user interface, either double-click the JAR file, or run it with:

    java -jar bsh-2.0b6.jar

You will need Java 5 or later installed. Note that there is a bug (beanshell#4) which may cause a hang, preventing the user interface from running with Java 8.

Fix issue-8: warning: [deprecation] toURL() in File has been deprecated.

Fix warning by prepending toURI(). to occurences of toURL().


git-svn-id: https://svn.codespot.com/a/apache-extras.org/beanshell/trunk@33 934af587-6f8e-29cc-0aa7-85b2284b99e2