RFC: Patch to bypass permission check for [System] source
Deepak Bhole
dbhole at redhat.com
Thu Apr 30 12:16:53 PDT 2009
I discovered an issue when investigating:
https://bugzilla.redhat.com/show_bug.cgi?id=484387
When checking for permissions during execution, source file:// has special
privilege. However, there is another source that needs this bypass - the
[System] source which implies code coming from a Mozilla extension.
Attached patch adds the bypass. Patch also makes it so that .equals is
used (as it should be) instead of == when comparing.
ChangeLog:
2009-04-30 Deepak Bhole <dbhole at redhat.com>
* plugin/icedtea/sun/applet/PluginAppletSecurityContext.java: Forgo
permission check if JS source is [System] (i.e. Mozilla extension/chrome).
Deepak
-------------- next part --------------
diff -r 4e5fd2efe6af plugin/icedtea/sun/applet/PluginAppletSecurityContext.java
--- a/plugin/icedtea/sun/applet/PluginAppletSecurityContext.java Thu Apr 30 16:04:37 2009 +0200
+++ b/plugin/icedtea/sun/applet/PluginAppletSecurityContext.java Thu Apr 30 14:39:45 2009 -0400
@@ -1001,7 +1001,7 @@
PluginDebug.debug("target = " + target + " jsSrc=" + jsSrc + " classSrc=" + classSrc);
// if src is not a file and class loader does not map to the same base, UniversalBrowserRead (BrowserReadPermission) must be set
- if (jsSrc != "file://" && !classSrc.equals(jsSrc)) {
+ if (!jsSrc.equals("file://") && !jsSrc.equals("[System]") && !classSrc.equals(jsSrc)) {
acc.checkPermission(new BrowserReadPermission());
}
}
More information about the distro-pkg-dev
mailing list