changeset in /hg/icedtea6: - Implemented JS->Java security.
Deepak Bhole
dbhole at redhat.com
Wed Oct 8 14:00:28 PDT 2008
changeset 86fbcf148d1f in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=86fbcf148d1f
description:
- Implemented JS->Java security.
- Removed ambiguity from class finding mechanism for cases where JS needs a
signature involving an applet specific class.
- Rewrote code that parsed messages from C++ side -- now it can handle any
number of optional components.
diffstat:
7 files changed, 730 insertions(+), 323 deletions(-)
ChangeLog | 13
IcedTeaPlugin.cc | 508 +++++++----
plugin/icedtea/sun/applet/AppletSecurityContextManager.java | 10
plugin/icedtea/sun/applet/PluginAppletSecurityContext.java | 412 ++++++--
plugin/icedtea/sun/applet/PluginAppletViewer.java | 33
plugin/icedtea/sun/applet/PluginObjectStore.java | 11
plugin/icedtea/sun/applet/PluginStreamHandler.java | 66 -
diffs (truncated from 1911 to 500 lines):
diff -r ab8aa9425fc4 -r 86fbcf148d1f ChangeLog
--- a/ChangeLog Tue Oct 07 11:16:16 2008 -0400
+++ b/ChangeLog Wed Oct 08 17:00:19 2008 -0400
@@ -1,3 +1,16 @@ 2008-10-07 Gary Benson <gbenson at redhat
+2008-10-08 Deepak Bhole <dbhole at redhat.com>
+ * IcedTeaPlugin.cc: Implemented JS->Java security.
+ * plugin/icedtea/sun/applet/AppletSecurityContextManager.java: Same.
+ * plugin/icedtea/sun/applet/PluginAppletSecurityContext.java: Same. Also,
+ remove ambiguity from class finding mechanism for cases where JS needs a
+ signature involving an applet specific class.
+ * plugin/icedtea/sun/applet/PluginAppletViewer.java: Implemented JS->Java
+ security.
+ * plugin/icedtea/sun/applet/PluginObjectStore.java: Same.
+ * plugin/icedtea/sun/applet/PluginStreamHandler.java: Rewrote code that
+ parsed messages from C++ side -- now it can handle any number of optional
+ components.
+
2008-10-07 Gary Benson <gbenson at redhat.com>
Andrew Haley <aph at redhat.com>
diff -r ab8aa9425fc4 -r 86fbcf148d1f IcedTeaPlugin.cc
--- a/IcedTeaPlugin.cc Tue Oct 07 11:16:16 2008 -0400
+++ b/IcedTeaPlugin.cc Wed Oct 08 17:00:19 2008 -0400
@@ -309,29 +309,36 @@ char const* TYPES[10] = { "Object",
#include <nsIThread.h>
// FIXME: create index from security context.
-#define MESSAGE_CREATE(reference) \
- const char* addr; \
- char context[16]; \
- GetCurrentPageAddress(&addr); \
- GetCurrentContextAddr(context); \
+#define MESSAGE_CREATE() \
nsCString message ("context "); \
message.AppendInt (0); \
+
+#define MESSAGE_ADD_STACK_REFERENCE(reference) \
message += " reference "; \
message.AppendInt (reference); \
- if (factory->codebase_map.find(nsCString(addr)) != factory->codebase_map.end()) \
- { \
- message += " src "; \
- message += factory->codebase_map[nsCString(addr)];\
- } \
- message += " "; \
- message += __func__; \
if (factory->result_map[reference] == NULL) { \
factory->result_map[reference] = new ResultContainer(); \
printf("ResultMap created -- %p %d\n", factory->result_map[reference], factory->result_map[reference]->returnIdentifier); \
} \
else \
- factory->result_map[reference]->Clear();
-
+ factory->result_map[reference]->Clear();
+
+#define MESSAGE_ADD_SRC(src) \
+ message += " src "; \
+ message += src;
+
+#define MESSAGE_ADD_PRIVILEGES() \
+ nsCString privileges(""); \
+ GetEnabledPrivileges(&privileges); \
+ if (privileges.Length() > 0) \
+ { \
+ message += " privileges "; \
+ message += privileges; \
+ }
+
+#define MESSAGE_ADD_FUNC() \
+ message += " "; \
+ message += __func__;
#define MESSAGE_ADD_STRING(name) \
message += " "; \
@@ -396,7 +403,7 @@ char const* TYPES[10] = { "Object",
#define PROCESS_PENDING_EVENTS_REF(reference) \
if (factory->shutting_down == PR_TRUE && \
- factory->result_map[reference]->errorOccured == PR_TRUE) \
+ factory->result_map[reference]->errorOccurred == PR_TRUE) \
{ \
printf("Error occured. Exiting function\n"); \
return NS_ERROR_FAILURE; \
@@ -424,13 +431,13 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf ("RECEIVE 1\n"); \
while (factory->result_map[reference]->returnIdentifier == -1 &&\
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
printf ("RECEIVE 3\n"); \
if (factory->result_map[reference]->returnIdentifier == 0 || \
- factory->result_map[reference]->errorOccured == PR_TRUE) \
+ factory->result_map[reference]->errorOccurred == PR_TRUE) \
{ \
*name = NULL; \
} else { \
@@ -447,12 +454,12 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE ID 1\n"); \
while (factory->result_map[reference]->returnIdentifier == -1 &&\
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
\
- if (factory->result_map[reference]->errorOccured == PR_TRUE) \
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE) \
{ \
*id = NULL; \
} else \
@@ -468,7 +475,7 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE VALUE 1\n"); \
while (factory->result_map[reference]->returnValue == "" && \
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
@@ -485,12 +492,12 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE SIZE 1\n"); \
while (factory->result_map[reference]->returnValue == "" && \
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
nsresult conversionResult; \
- if (factory->result_map[reference]->errorOccured == PR_TRUE) \
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE) \
*result = NULL; \
else \
{ \
@@ -507,11 +514,11 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE STRING 1\n"); \
while (factory->result_map[reference]->returnValue == "" && \
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
- if (factory->result_map[reference]->errorOccured == PR_TRUE) \
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE) \
*result = NULL; \
else \
{\
@@ -529,11 +536,11 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE STRING UCS 1\n"); \
while (factory->result_map[reference]->returnValueUCS.IsEmpty() && \
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
- if (factory->result_map[reference]->errorOccured == PR_TRUE) \
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE) \
*result = NULL; \
else \
{ \
@@ -554,11 +561,11 @@ char const* TYPES[10] = { "Object",
nsresult res = NS_OK; \
printf("RECEIVE BOOLEAN 1\n"); \
while (factory->result_map[reference]->returnIdentifier == -1 && \
- factory->result_map[reference]->errorOccured == PR_FALSE) \
+ factory->result_map[reference]->errorOccurred == PR_FALSE) \
{ \
PROCESS_PENDING_EVENTS_REF (reference); \
} \
- if (factory->result_map[reference]->errorOccured == PR_TRUE) \
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE) \
*result = NULL; \
else \
*result = factory->result_map[reference]->returnIdentifier;
@@ -717,8 +724,8 @@ class ResultContainer
PRUint32 returnIdentifier;
nsCString returnValue;
nsString returnValueUCS;
- PRBool errorOccured;
-
+ nsCString errorMessage;
+ PRBool errorOccurred;
};
ResultContainer::ResultContainer ()
@@ -728,7 +735,8 @@ ResultContainer::ResultContainer ()
returnIdentifier = -1;
returnValue.Truncate();
returnValueUCS.Truncate();
- errorOccured = PR_FALSE;
+ errorMessage.Truncate();
+ errorOccurred = PR_FALSE;
}
ResultContainer::~ResultContainer ()
@@ -738,6 +746,7 @@ ResultContainer::~ResultContainer ()
returnIdentifier = -1;
returnValue.Truncate();
returnValueUCS.Truncate();
+ errorMessage.Truncate();
}
void
@@ -748,7 +757,8 @@ ResultContainer::Clear()
returnIdentifier = -1;
returnValue.Truncate();
returnValueUCS.Truncate();
- errorOccured = PR_FALSE;
+ errorMessage.Truncate();
+ errorOccurred = PR_FALSE;
}
#include <nsTArray.h>
@@ -1182,6 +1192,7 @@ private:
void DecrementContextCounter();
nsresult GetCurrentContextAddr(char *addr);
nsresult GetCurrentPageAddress(const char **addr);
+ nsresult GetEnabledPrivileges(nsCString *privileges);
int contextCounter;
};
�
@@ -2780,7 +2791,16 @@ IcedTeaPluginFactory::HandleMessage (nsC
else if (command == "Error")
{
printf("Error occured. Setting error flag for container @ %d to true\n", reference);
- result_map[reference]->errorOccured = PR_TRUE;
+ result_map[reference]->errorOccurred = PR_TRUE;
+ result_map[reference]->errorMessage = (nsCString) rest;
+
+ rest += "ERROR: ";
+ IcedTeaPluginInstance* instance = NULL;
+ instances.Get (identifier, &instance);
+ if (instance != 0)
+ {
+ instance->peer->ShowStatus (nsCString (rest).get ());
+ }
}
}
else if (prefix == "context")
@@ -3916,91 +3936,72 @@ IcedTeaJNIEnv::DecrementContextCounter (
PR_ExitMonitor(contextCounterPRMonitor);
}
-#include <nsIJSContextStack.h>
-
nsresult
-IcedTeaJNIEnv::GetCurrentContextAddr(char *addr)
-{
- return NS_OK;
- PLUGIN_TRACE_JNIENV ();
-
- // Get JSContext from stack.
- nsCOMPtr<nsIJSContextStack> mJSContextStack(do_GetService("@mozilla.org/js/xpc/ContextStack;1"));
- if (mJSContextStack) {
- JSContext *cx;
- if (NS_FAILED(mJSContextStack->Peek(&cx)))
- return NS_ERROR_FAILURE;
-
- printf("Context1: %p\n", cx);
-
- // address cannot be more than 8 bytes (8 bytes = 64 bits)
- sprintf(addr, "%p", cx);
-
- printf("Context2: %s\n", addr);
- }
-
- return NS_OK;
-}
-
-nsresult
-IcedTeaJNIEnv::GetCurrentPageAddress(const char **addr)
-{
- return NS_OK;
- PLUGIN_TRACE_JNIENV ();
-
- nsIPrincipal *prin;
- nsCOMPtr<nsIScriptSecurityManager> sec_man(do_GetService("@mozilla.org/scriptsecuritymanager;1"));
-
- if (sec_man) {
-
- PRBool isEnabled = PR_FALSE;
- sec_man->IsCapabilityEnabled("UniversalBrowserRead", &isEnabled);
-
- if (isEnabled == PR_FALSE) {
- printf("UniversalBrowserRead is NOT enabled\n");
- } else {
- printf("UniversalBrowserRead IS enabled\n");
- }
-
- sec_man->IsCapabilityEnabled("UniversalBrowserWrite", &isEnabled);
-
- if (isEnabled == PR_FALSE) {
- printf("UniversalBrowserWrite is NOT enabled\n");
- } else {
- printf("UniversalBrowserWrite IS enabled\n");
- }
- }
-
- if (sec_man)
- {
- sec_man->GetSubjectPrincipal(&prin);
- } else {
+IcedTeaJNIEnv::GetEnabledPrivileges(nsCString *privileges)
+{
+ nsresult rv;
+ nsCOMPtr<nsIScriptSecurityManager> sec_man =
+ do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+
+ if (NS_FAILED(rv) || !sec_man) {
return NS_ERROR_FAILURE;
}
- if (prin)
- {
- nsIURI *uri;
- prin->GetURI(&uri);
-
- if (uri)
- {
- nsCAutoString str;
- uri->GetSpec(str);
- NS_CStringGetData(str, addr);
- } else {
- return NS_ERROR_FAILURE;
- }
- } else {
- return NS_ERROR_FAILURE;
- }
-
-
- nsCOMPtr<nsIJSID> js_id(do_GetService("@mozilla.org/js/xpc/ID;1"));
- printf("JS ID is: %s\n", js_id->GetID()->ToString());
-
- return NS_OK;
-
+ PRBool isEnabled = PR_FALSE;
+
+ // check privileges one by one
+
+ privileges->Truncate();
+ char available_privileges[1024];
+
+ // see: http://docs.sun.com/source/816-6170-10/index.htm
+
+ // Should these other privileges be supported? According to
+ // http://java.sun.com/j2se/1.3/docs/guide/plugin/security.html it is
+ // either UniversalBrowserRead/UniversalJavaPermissions or the highway...
+
+/*
+ // broken down to make it clean...
+ sprintf(available_privileges, "%s %s %s %s %s %s %s %s %s %s %s %s",
+ "LimitedInstall FullInstall SilentInstall",
+ "UniversalAccept UniversalAwtEventQueueAccess UniversalConnect",
+ "UniversalConnectWithRedirect UniversalDialogModality",
+ "UniversalExecAccess UniversalExitAccess UniversalFdRead",
+ "UniversalFileDelete UniversalFileRead UniversalFileWrite",
+ "UniversalLinkAccess UniversalListen UniversalMulticast",
+ "UniversalJavaPermissions UniversalPackageAccess",
+ "UniversalPackageDefinition UniversalPrintJobAccess",
+ "UniversalPropertyRead UniversalPropertyWrite",
+ "UniversalSendMail UniversalSetFactory UniversalSystemClipboardAccess",
+ "UniversalThreadAccess UniversalThreadGroupAccess",
+ "UniversalTopLevelWindow");
+*/
+
+ sprintf(available_privileges, "%s",
+ "UniversalBrowserRead UniversalJavaPermissions");
+
+
+ char *token = strtok(available_privileges, " ");
+ while (token != NULL)
+ {
+ isEnabled = PR_FALSE;
+ sec_man->IsCapabilityEnabled(token, &isEnabled);
+
+ if (isEnabled == PR_TRUE)
+ {
+ printf("GetEnabledPrivileges : %s is enabled\n", token);
+ *privileges += token;
+ *privileges += ",";
+ } else {
+ printf("GetEnabledPrivileges : %s is _NOT_ enabled\n", token);
+ }
+
+ token = strtok (NULL, " ");
+ }
+
+ privileges->Trim(",");
+
+ return NS_OK;
}
NS_IMETHODIMP
@@ -4011,14 +4012,41 @@ IcedTeaJNIEnv::NewObject (jclass clazz,
nsISecurityContext* ctx)
{
PLUGIN_TRACE_JNIENV ();
+
+ char origin[1024];
+ sprintf(origin, "");
+
+ if (ctx)
+ ctx->GetOrigin(origin, 1024);
+
int reference = IncrementContextCounter ();
- MESSAGE_CREATE (reference);
+ MESSAGE_CREATE ();
+ MESSAGE_ADD_STACK_REFERENCE(reference);
+ MESSAGE_ADD_SRC(origin);
+ MESSAGE_ADD_FUNC();
MESSAGE_ADD_REFERENCE (clazz);
MESSAGE_ADD_ID (methodID);
MESSAGE_ADD_ARGS (methodID, args);
MESSAGE_SEND ();
- printf("MSG SEND COMPLETE. NOW RECEIVING...\n");
MESSAGE_RECEIVE_REFERENCE (reference, jobject, result);
+
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE &&
+ factory->result_map[reference]->errorMessage.Find("LiveConnectPermissionNeeded") == 0)
+ {
+ // Permission error. Try again. This time, send permissions over the wire
+ MESSAGE_CREATE ();
+ MESSAGE_ADD_STACK_REFERENCE(reference);
+ MESSAGE_ADD_SRC(origin);
+ MESSAGE_ADD_PRIVILEGES();
+ MESSAGE_ADD_FUNC();
+ MESSAGE_ADD_REFERENCE (clazz);
+ MESSAGE_ADD_ID (methodID);
+ MESSAGE_ADD_ARGS (methodID, args);
+ MESSAGE_SEND ();
+ MESSAGE_RECEIVE_REFERENCE (reference, jobject, result);
+ }
+
+
DecrementContextCounter ();
return NS_OK;
@@ -4033,15 +4061,43 @@ IcedTeaJNIEnv::CallMethod (jni_type type
nsISecurityContext* ctx)
{
PLUGIN_TRACE_JNIENV ();
+
+ char origin[1024];
+ sprintf(origin, "");
+
+ if (ctx)
+ ctx->GetOrigin(origin, 1024);
+
int reference = IncrementContextCounter ();
- MESSAGE_CREATE (reference);
+ MESSAGE_CREATE ();
+ MESSAGE_ADD_STACK_REFERENCE(reference);
+ MESSAGE_ADD_SRC(origin);
+ MESSAGE_ADD_FUNC();
MESSAGE_ADD_REFERENCE (obj);
MESSAGE_ADD_ID (methodID);
MESSAGE_ADD_ARGS (methodID, args);
- std::cout << "CALLMETHOD -- OBJ: " << obj << " METHOD: " << methodID << " ARGS: " << args << std::endl;
MESSAGE_SEND ();
- printf("MSG SEND COMPLETE. NOW RECEIVING...\n");
MESSAGE_RECEIVE_VALUE (reference, type, result);
+
+ if (factory->result_map[reference]->errorOccurred == PR_TRUE &&
+ factory->result_map[reference]->errorMessage.Find("LiveConnectPermissionNeeded") == 0)
+ {
+ MESSAGE_CREATE ();
+ MESSAGE_ADD_STACK_REFERENCE(reference);
+ MESSAGE_ADD_SRC(origin);
+ MESSAGE_ADD_PRIVILEGES();
+ MESSAGE_ADD_FUNC();
+ MESSAGE_ADD_REFERENCE (obj);
+ MESSAGE_ADD_ID (methodID);
+ MESSAGE_ADD_ARGS (methodID, args);
+ MESSAGE_SEND ();
+ MESSAGE_RECEIVE_VALUE (reference, type, result);
+
+ // if everything was OK, clear exception from previous access exception
+ if (factory->result_map[reference]->errorOccurred == PR_FALSE)
+ ExceptionClear();
+ }
+
DecrementContextCounter ();
return NS_OK;
@@ -4307,13 +4363,37 @@ IcedTeaJNIEnv::GetField (jni_type type,
nsISecurityContext* ctx)
{
PLUGIN_TRACE_JNIENV ();
+
+ char origin[1024];
+ sprintf(origin, "");
+
+ if (ctx)
+ ctx->GetOrigin(origin, 1024);
More information about the distro-pkg-dev
mailing list