changeset in /hg/icedtea6: - Fix potential DoS issue when dealin...
Deepak Bhole
dbhole at redhat.com
Fri Oct 31 12:19:18 PDT 2008
changeset a5e8efb4fcff in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=a5e8efb4fcff
description:
- Fix potential DoS issue when dealing with very long URL/targets.
- Decode param values correctly.
- Bypass authentication check when origin matches.
- Show proper Name/Publisher/Origin values when no certificate is associated.
diffstat:
5 files changed, 87 insertions(+), 21 deletions(-)
ChangeLog | 12 ++
IcedTeaPlugin.cc | 20 ++--
plugin/icedtea/sun/applet/PluginAppletViewer.java | 4
rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 65 +++++++++++---
rt/net/sourceforge/jnlp/security/AccessWarningPane.java | 7 -
diffs (211 lines):
diff -r 119acc15bc38 -r a5e8efb4fcff ChangeLog
--- a/ChangeLog Fri Oct 31 13:14:28 2008 -0400
+++ b/ChangeLog Fri Oct 31 15:19:14 2008 -0400
@@ -1,3 +1,15 @@ 2008-10-31 Lillian Angel <langel at redha
+2008-10-31 Deepak Bhole <dbhole at redhat.com>
+
+ * IcedTeaPlugin.cc: Fix potential DoS issue when dealing with very long
+ URL/target addresses.
+ * plugin/icedtea/sun/applet/PluginAppletViewer.java: Decode param values
+ correctly.
+ * rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java: Bypass
+ authentication check when origin matches.
+ * rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Show proper
+ Name/Publisher/Origin values when no certificate is associated.
+
+
2008-10-31 Lillian Angel <langel at redhat.com>
* Makefile.am: Updated for new visualvm 1.0.1.
diff -r 119acc15bc38 -r a5e8efb4fcff IcedTeaPlugin.cc
--- a/IcedTeaPlugin.cc Fri Oct 31 13:14:28 2008 -0400
+++ b/IcedTeaPlugin.cc Fri Oct 31 15:19:14 2008 -0400
@@ -1409,19 +1409,19 @@ public:
NS_DECL_ISUPPORTS
NS_DECL_NSIRUNNABLE
- GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target);
+ GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target);
~GetURLRunnable ();
private:
nsIPluginInstancePeer* peer;
- const char* url;
- const char* target;
+ nsCString url;
+ nsCString target;
};
NS_IMPL_ISUPPORTS1 (GetURLRunnable, nsIRunnable)
-GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target)
+GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target)
: peer(peer),
url(url),
target(target)
@@ -1442,7 +1442,7 @@ GetURLRunnable::Run ()
nsIPluginInstanceOwner* owner = nsnull;
ownerGetter->GetOwner (&owner);
- return owner->GetURL ((const char*) url, (const char*) target,
+ return owner->GetURL ((const char*) url.get(), (const char*) target.get(),
nsnull, 0, nsnull, 0);
}
@@ -2869,8 +2869,8 @@ IcedTeaPluginFactory::HandleMessage (nsC
ownerGetter->GetOwner (&owner);
PLUGIN_DEBUG_2ARG ("Calling GetURL with %s and %s\n", nsCString (url).get (), nsCString (target).get ());
nsCOMPtr<nsIRunnable> event = new GetURLRunnable (instance->peer,
- nsCString (url).get (),
- nsCString (target).get ());
+ nsCString (url),
+ nsCString (target));
current->Dispatch(event, nsIEventTarget::DISPATCH_NORMAL);
}
}
@@ -4062,7 +4062,11 @@ IcedTeaPluginFactory::Eval ()
{
if (!factory->js_cleared_handles.Get(javascript_identifier, NULL))
{
- PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %d\n", javascript_identifier, strSize);
+ nsCString evStr("");
+ for (int i=0; i < strSize; i++)
+ evStr += nameString[i];
+
+ PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %s\n", javascript_identifier, evStr.get());
result = liveconnect->Eval(proxyEnv,
javascript_identifier,
nameString, strSize,
diff -r 119acc15bc38 -r a5e8efb4fcff plugin/icedtea/sun/applet/PluginAppletViewer.java
--- a/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Oct 31 13:14:28 2008 -0400
+++ b/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Oct 31 15:19:14 2008 -0400
@@ -1265,6 +1265,10 @@ import sun.misc.Ref;
skipSpace(in);
val = buf.toString();
}
+
+ val = val.replace(">", ">");
+ val = val.replace("<", "<");
+ val = val.replace("&", "&");
PluginDebug.debug("PUT " + att + " = '" + val + "'");
atts.put(att.toLowerCase(java.util.Locale.ENGLISH), val);
while (true) {
diff -r 119acc15bc38 -r a5e8efb4fcff rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
--- a/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 31 13:14:28 2008 -0400
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 31 15:19:14 2008 -0400
@@ -17,19 +17,23 @@
package net.sourceforge.jnlp.runtime;
-import java.awt.*;
-import java.awt.event.*;
-import java.lang.ref.*;
-import javax.swing.*;
-import java.security.*;
-
+import java.awt.Frame;
+import java.awt.Window;
+import java.awt.event.WindowAdapter;
+import java.awt.event.WindowEvent;
+import java.lang.ref.WeakReference;
+import java.net.SocketPermission;
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+
+import javax.swing.JWindow;
+
+import net.sourceforge.jnlp.JNLPFile;
import net.sourceforge.jnlp.security.SecurityWarningDialog;
import net.sourceforge.jnlp.services.ServiceUtil;
-import net.sourceforge.jnlp.util.*;
-
+import net.sourceforge.jnlp.util.WeakList;
import sun.security.util.SecurityConstants;
-
-import java.net.SocketPermission;
/**
* Security manager for JNLP environment. This security manager
@@ -124,6 +128,7 @@ class JNLPSecurityManager extends Securi
}
public void windowClosing(WindowEvent e) {
+ System.err.println("Disposing window");
e.getWindow().dispose();
}
};
@@ -282,6 +287,46 @@ class JNLPSecurityManager extends Securi
if (perm instanceof SocketPermission) {
tmpPerm = new SocketPermission(perm.getName(),
SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
+
+ // before proceeding, check if we are trying to connect to same origin
+ ApplicationInstance app = getApplication();
+ JNLPFile file = app.getJNLPFile();
+
+ String srcHost = file.getSourceLocation().getAuthority();
+ String destHost = name;
+
+ // host = abc.xyz.com or abc.xyz.com:<port>
+ if (destHost.indexOf(':') >= 0)
+ destHost = destHost.substring(0, destHost.indexOf(':'));
+
+ // host = abc.xyz.com
+ String[] hostComponents = destHost.split("\\.");
+
+ int length = hostComponents.length;
+ if (length >= 2) {
+
+ // address is in xxx.xxx.xxx format
+ destHost = hostComponents[length -2] + "." + hostComponents[length -1];
+
+ // host = xyz.com i.e. origin
+ boolean isDestHostName = false;
+
+ // make sure that it is not an ip address
+ try {
+ Integer.parseInt(hostComponents[length -1]);
+ } catch (NumberFormatException e) {
+ isDestHostName = true;
+ }
+
+ if (isDestHostName) {
+ // okay, destination is hostname. Now figure out if it is a subset of origin
+ if (srcHost.endsWith(destHost)) {
+ addPermission(tmpPerm);
+ return;
+ }
+ }
+ }
+
} else
tmpPerm = perm;
diff -r 119acc15bc38 -r a5e8efb4fcff rt/net/sourceforge/jnlp/security/AccessWarningPane.java
--- a/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Fri Oct 31 13:14:28 2008 -0400
+++ b/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Fri Oct 31 15:19:14 2008 -0400
@@ -84,18 +84,19 @@ public class AccessWarningPane extends S
//We don't worry about exceptions when trying to fill in
//these strings -- we just want to fill in as many as possible.
try {
- name = file.getInformation().getTitle();
+ name = file.getInformation().getTitle() != null ? file.getInformation().getTitle() : "<no associated certificate>";
} catch (Exception e) {
}
try {
- publisher = file.getInformation().getVendor();
+ publisher = file.getInformation().getVendor() != null ? file.getInformation().getVendor() : "<no associated certificate>";
} catch (Exception e) {
}
try {
- from = file.getInformation().getHomepage().toString();
+ from = !file.getInformation().getHomepage().toString().equals("") ? file.getInformation().getHomepage().toString() : file.getSourceLocation().getAuthority();
} catch (Exception e) {
+ from = file.getSourceLocation().getAuthority();
}
//Top label
More information about the distro-pkg-dev
mailing list