/hg/release/icedtea6-1.7: 14 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Wed Jul 28 05:09:04 PDT 2010
changeset b3f4988afff9 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=b3f4988afff9
author: Deepak Bhole <dbhole at redhat.com>
date: Wed Jul 21 18:40:30 2010 -0400
Fix issue that allowed unsigned applications to modify system
properties.
changeset 6b9ccc0f74d2 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=6b9ccc0f74d2
author: Deepak Bhole <dbhole at redhat.com>
date: Wed Jul 21 18:45:51 2010 -0400
Fix issue that allowed unsigned code to use extension services
without prompt.
Collapse extention loaders into baseloader rather than vice-versa --
this makes it so that a loader is reported signed only if the main
app is.
changeset 39e4a9ec4eb5 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=39e4a9ec4eb5
author: Deepak Bhole <dbhole at redhat.com>
date: Wed Jul 21 19:30:04 2010 -0400
Add new security dialog that prompts the user if there is mixed
signed and unsigned code present.
changeset cf334d2dae6e in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=cf334d2dae6e
author: Deepak Bhole <dbhole at redhat.com>
date: Thu Jul 22 01:53:55 2010 -0400
Warn user if extended services are being used from unsigned code
(even if the main application code is signed).
changeset eb2ab50f5a28 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=eb2ab50f5a28
author: Deepak Bhole <dbhole at redhat.com>
date: Thu Jul 22 19:24:19 2010 -0400
Track security descriptors per jar, and made permission decisions
based on it.
changeset d88454e407dd in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=d88454e407dd
author: Deepak Bhole <dbhole at redhat.com>
date: Thu Jul 22 19:27:54 2010 -0400
Mark jar as unverified only if it is unsigned (since signed jars --
even ones with problems, and still 'verified' for contents).
changeset 391a0a5145ca in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=391a0a5145ca
author: Deepak Bhole <dbhole at redhat.com>
date: Thu Jul 22 19:30:39 2010 -0400
Make sandbox permissions a subset of permissions returned for any
code source.
changeset 337a1a5344da in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=337a1a5344da
author: Deepak Bhole <dbhole at redhat.com>
date: Fri Jul 23 12:02:01 2010 -0400
Add security descriptor mapping for nested jars.
changeset 26fd1324d482 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=26fd1324d482
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Jul 26 21:56:08 2010 +0100
Add security fixes to NEWS and set date to 28th of July for the
1.7.4 release.
2010-07-26 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Add security fixes and date of 1.7.4.
changeset 5760b0bf92c2 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=5760b0bf92c2
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Jul 26 22:01:25 2010 +0100
Bump to 1.7.4.
2010-07-26 Andrew John Hughes <ahughes at redhat.com>
* configure.ac: Bump to 1.7.4
changeset c0a3d1ecb3ae in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=c0a3d1ecb3ae
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Jul 26 23:18:42 2010 +0100
Turn off the old plugin by default so both it and the new plugin
aren't turned on by default.
2010-07-26 Andrew John Hughes <ahughes at redhat.com>
* INSTALL: Update plugin documentation.
* acinclude.m4: Turn off the old plugin (--disable-plugin) by
default.
changeset e5dc3c88292c in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=e5dc3c88292c
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Jul 26 23:28:16 2010 +0100
Give a warning about the imminent death of the old plugin.
2010-07-26 Andrew John Hughes <ahughes at redhat.com>
* acinclude.m4: Give a warning about the imminent
death of the old plugin.
changeset caae3106585d in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=caae3106585d
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Jul 27 19:26:44 2010 +0100
Add CVE numbers.
2010-07-27 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Add CVE numbers.
changeset 30dc9370beba in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=30dc9370beba
author: Andrew John Hughes <ahughes at redhat.com>
date: Tue Jul 27 22:55:15 2010 +0100
Only display old plugin warning if --enable-plugin is specified.
2010-07-27 Andrew John Hughes <ahughes at redhat.com>
* acinclude.m4: (IT_CHECK_OLD_PLUGIN): Only display
warning if --enable-plugin is specified.
diffstat:
15 files changed, 536 insertions(+), 163 deletions(-)
ChangeLog | 110 ++++++++
INSTALL | 13
NEWS | 5
acinclude.m4 | 11
configure.ac | 2
rt/net/sourceforge/jnlp/SecurityDesc.java | 65 ++--
rt/net/sourceforge/jnlp/resources/Messages.properties | 2
rt/net/sourceforge/jnlp/runtime/ApplicationInstance.java | 35 ++
rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 135 ++++++++--
rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java | 62 ----
rt/net/sourceforge/jnlp/security/NotAllSignedWarningPane.java | 126 +++++++++
rt/net/sourceforge/jnlp/security/SecurityDialogUI.java | 6
rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java | 35 ++
rt/net/sourceforge/jnlp/services/ServiceUtil.java | 60 ++--
rt/net/sourceforge/jnlp/tools/JarSigner.java | 32 +-
diffs (truncated from 1066 to 500 lines):
diff -r 7763083fc25d -r 30dc9370beba ChangeLog
--- a/ChangeLog Mon Jul 26 20:51:29 2010 +0100
+++ b/ChangeLog Tue Jul 27 22:55:15 2010 +0100
@@ -1,3 +1,113 @@ 2010-07-26 Andrew John Hughes <ahughes
+2010-07-27 Andrew John Hughes <ahughes at redhat.com>
+
+ * acinclude.m4:
+ (IT_CHECK_OLD_PLUGIN): Only display warning
+ if --enable-plugin is specified.
+
+2010-07-27 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Add CVE numbers.
+
+2010-07-26 Andrew John Hughes <ahughes at redhat.com>
+
+ * acinclude.m4: Give a warning about the
+ imminent death of the old plugin.
+
+2010-07-26 Andrew John Hughes <ahughes at redhat.com>
+
+ * INSTALL: Update plugin documentation.
+ * acinclude.m4: Turn off the old plugin
+ (--disable-plugin) by default.
+
+2010-07-26 Andrew John Hughes <ahughes at redhat.com>
+
+ * configure.ac: Bump to 1.7.4
+
+2010-07-26 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Add security fixes and date of 1.7.4.
+
+2010-07-23 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (activateJars): Add
+ security descriptor mapping for nested jars.
+
+2010-07-22 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/SecurityDesc.java (getPermissions): Clean up
+ method, and make sure sandbox permissions are always a subset of what is
+ returned.
+
+2010-07-22 Deepak Bhole <dbhole at redhat.com>
+
+ * t/net/sourceforge/jnlp/tools/JarSigner.java: Add new verifyResult enum
+ to track verification status.
+ (verifyJars): Mark jar unverified only if it has no signature.
+ (verifyJar): Use new verifyResult enum to return status based on if jar is
+ unsigned, signed but with errors, or signed and ok.
+
+2010-07-22 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: Added a new
+ HashMap to map source locations to security descriptors for that location.
+ (getInstance): Use the new merge() method to merge loader data.
+ (initializeResources): Add map entries to the new jarLocationSecurityMap.
+ (getPermissions): Decide permissions based on security descriptor
+ associated with the calling code, rather than with the jnlp file.
+ (getCodeSourceSecurity): New method. Returns the security descriptor
+ associated with the given code source URL.
+ (merge): New method. Merges loader classpaths, native dir paths, and
+ security descriptor mappings.
+
+2010-07-22 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (getInstance):
+ Collapse new loader paths into base loader.
+ * rt/net/sourceforge/jnlp/services/ServiceUtil.java (checkAccess): Check
+ if calling code is trusted all the way to the end. If it isn't, prompt
+ user.
+
+2010-07-21 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/resources/Messages.properties: Add new strings.
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (getInstance):
+ Prompt user if the main app code is signed, but the extentions aren't.
+ (initializeResources): Prompt user if there are any unsigned jars mixed
+ with signed jars.
+ * rt/net/sourceforge/jnlp/security/NotAllSignedWarningPane.java: New file.
+ Dialog shown to user if the main app code is signed but the extentions aren't.
+ * rt/net/sourceforge/jnlp/security/SecurityDialogUI.java
+ (SecurityDialogUI): Add a constructor that doesn't take a CertVerifier
+ object.
+ * rt/net/sourceforge/jnlp/security/SecurityWarningDialog.java: Added
+ dialog and accesstype enum elements for a 'Not all jars signed' case.
+ (showNotAllSignedWarningDialog): New function. Prompts the user if the
+ main app code is signed but the extentions aren't.
+ (createDialog): Wire in the 'Not all jars signed' case.
+ (updateUI): Same.
+ * rt/net/sourceforge/jnlp/tools/JarSigner.java (allJarsSigned): New
+ function. Returns if there are any unsigned jars.
+
+2010-07-21 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (getInstance):
+ Collapse extention loaders into baseloader rather than vice-verse.
+
+2010-07-21 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/SecurityDesc.java: Converge all property
+ permission settings info a single class.
+ (getPermissions): Do not give read/write permissions to anything other
+ than what is allowed by spec.
+ (getSandBoxPermissions): Same.
+ * rt/net/sourceforge/jnlp/runtime/ApplicationInstance.java: Remove
+ blanket imports.
+ (installEnvironment): Write properties in a restricted
+ AccessControlContext based on app specific permissions only.
+ * rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java
+ (checkPermission): Remove all property permission decision making code
+ and collapse it all into SecurityDesc.java.
+
2010-07-26 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Fix position of policy evaluation fix
diff -r 7763083fc25d -r 30dc9370beba INSTALL
--- a/INSTALL Mon Jul 26 20:51:29 2010 +0100
+++ b/INSTALL Tue Jul 27 22:55:15 2010 +0100
@@ -31,7 +31,7 @@ libpng-devel
libpng-devel
libjpeg-devel >= 6b
zlib-devel
-xulrunner-devel (can be disabled using --disable-plugin)
+xulrunner-devel (can be disabled using --disable-npplugin)
rhino (can be disabled using --without-rhino)
libffi (for --enable-zero or on archs other than x86/x86_64/sparc)
pulseaudio-libs-devel >= 0.9.11 (for --enable-pulse-java)
@@ -162,7 +162,7 @@ These are documented fully in the releva
* --enable-cacao: Replace HotSpot with the CACAO VM.
* --enable-shark: Build the Shark LLVM-based JIT.
* --enable-zero: Build the zero assembler port on x86/x86_64/sparc platforms.
-* --disable-plugin: Don't build the browser plugin.
+* --enable-plugin: Build the old browser plugin.
* --disable-npplugin: Build the old unsupported plugin rather than NPPlugin.
* --with-hotspot-build: The HotSpot to use, defaulting to 'original' i.e. hs14 as bundled with OpenJDK.
* --with-rhino: Include Javascript support using Rhino.
@@ -281,10 +281,11 @@ The Browser Plugin
IcedTea6 currently includes two browser plugins; a new supported
plugin based on NPRuntime and an older deprecated plugin used in
-previous releases. By default, the first will be built and this
-is the recommended option. Passing the option --disable-npplugin
-reverts to the old plugin, while --disable-plugin turns off the
-build of a browser plugin altogether.
+previous releases. By default, the first will be built and this is
+the recommended option. Passing the option --disable-npplugin turns
+off the build of a browser plugin altogether, while --disable-npplugin
+--enable-plugin will build the old unsupported plugin, which won't work
+with xulrunner 1.9.2 or later.
A test suite is supplied for the browser plugin. It can be built
using 'make plugin-tests' and run by loading the HTML page specified
diff -r 7763083fc25d -r 30dc9370beba NEWS
--- a/NEWS Mon Jul 26 20:51:29 2010 +0100
+++ b/NEWS Tue Jul 27 22:55:15 2010 +0100
@@ -1,5 +1,8 @@ New in release 1.7.4 (2010-XX-XX):
-New in release 1.7.4 (2010-XX-XX):
+New in release 1.7.4 (2010-07-28):
+* NetX security issues:
+ - (CVE-2010-2783, RH616895): IcedTea 'Extended JNLP Services' arbitrary file access
+ - (CVE-2010-2548, RH616893): IcedTea Incomplete property access check for unsigned applications
* Backport --with-tzdata-dir support from IcedTea6 1.8 to ensure
that external timezone data works again.
* Restore icedtea-override-metacity.patch to allow full screen apps and
diff -r 7763083fc25d -r 30dc9370beba acinclude.m4
--- a/acinclude.m4 Mon Jul 26 20:51:29 2010 +0100
+++ b/acinclude.m4 Tue Jul 27 22:55:15 2010 +0100
@@ -1260,12 +1260,15 @@ AC_DEFUN_ONCE([IT_OBTAIN_HG_REVISIONS],
AC_DEFUN_ONCE([IT_CHECK_OLD_PLUGIN],
[
-AC_MSG_CHECKING([whether to build the browser plugin])
+AC_MSG_CHECKING([whether to build the old browser plugin])
AC_ARG_ENABLE([plugin],
- [AS_HELP_STRING([--disable-plugin],
- [Disable compilation of browser plugin])],
- [enable_plugin="${enableval}"], [enable_plugin="yes"])
+ [AS_HELP_STRING([--enable-plugin],
+ [Enable compilation of the old browser plugin])],
+ [enable_plugin="${enableval}"], [enable_plugin="no"])
AC_MSG_RESULT(${enable_plugin})
+if test "x${enable_plugin}" = "xyes"; then
+ AC_MSG_WARN([The old plugin is no longer maintained and will be removed in 1.7.5.])
+fi
])
AC_DEFUN_ONCE([IT_CHECK_NEW_PLUGIN],
diff -r 7763083fc25d -r 30dc9370beba configure.ac
--- a/configure.ac Mon Jul 26 20:51:29 2010 +0100
+++ b/configure.ac Tue Jul 27 22:55:15 2010 +0100
@@ -1,4 +1,4 @@ AC_INIT([icedtea6], [1.7.3], [distro-pkg
-AC_INIT([icedtea6], [1.7.3], [distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6], [1.7.4], [distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 7763083fc25d -r 30dc9370beba rt/net/sourceforge/jnlp/SecurityDesc.java
--- a/rt/net/sourceforge/jnlp/SecurityDesc.java Mon Jul 26 20:51:29 2010 +0100
+++ b/rt/net/sourceforge/jnlp/SecurityDesc.java Tue Jul 27 22:55:15 2010 +0100
@@ -53,6 +53,11 @@ public class SecurityDesc {
/** the JNLP file */
private JNLPFile file;
+ // We go by the rules here:
+ // http://java.sun.com/docs/books/tutorial/deployment/doingMoreWithRIA/properties.html
+
+ // Since this is security sensitive, take a conservative approach:
+ // Allow only what is specifically allowed, and deny everything else
/** basic permissions for restricted mode */
private static Permission j2eePermissions[] = {
@@ -95,6 +100,9 @@ public class SecurityDesc {
new PropertyPermission("java.vm.vendor", "read"),
new PropertyPermission("java.vm.name", "read"),
new PropertyPermission("javawebstart.version", "read"),
+ new PropertyPermission("javaplugin.*", "read"),
+ new PropertyPermission("jnlp.*", "read,write"),
+ new PropertyPermission("javaws.*", "read,write"),
new RuntimePermission("exitVM"),
new RuntimePermission("stopThread"),
new AWTPermission("showWindowWithoutWarningBanner"),
@@ -105,6 +113,26 @@ public class SecurityDesc {
// new AWTPermission("accessEventQueue"),
};
+ /** basic permissions for restricted mode */
+ private static Permission jnlpRIAPermissions[] = {
+ new PropertyPermission("awt.useSystemAAFontSettings", "read,write"),
+ new PropertyPermission("http.agent", "read,write"),
+ new PropertyPermission("http.keepAlive", "read,write"),
+ new PropertyPermission("java.awt.syncLWRequests", "read,write"),
+ new PropertyPermission("java.awt.Window.locationByPlatform", "read,write"),
+ new PropertyPermission("javaws.cfg.jauthenticator", "read,write"),
+ new PropertyPermission("javax.swing.defaultlf", "read,write"),
+ new PropertyPermission("sun.awt.noerasebackground", "read,write"),
+ new PropertyPermission("sun.awt.erasebackgroundonresize", "read,write"),
+ new PropertyPermission("sun.java2d.d3d", "read,write"),
+ new PropertyPermission("sun.java2d.dpiaware", "read,write"),
+ new PropertyPermission("sun.java2d.noddraw", "read,write"),
+ new PropertyPermission("sun.java2d.opengl", "read,write"),
+ new PropertyPermission("swing.boldMetal", "read,write"),
+ new PropertyPermission("swing.metalTheme", "read,write"),
+ new PropertyPermission("swing.noxp", "read,write"),
+ new PropertyPermission("swing.useSystemFontSettings", "read,write"),
+ };
/**
* Create a security descriptor.
@@ -118,7 +146,7 @@ public class SecurityDesc {
this.type = type;
this.downloadHost = downloadHost;
}
-
+
/**
* Returns the permissions type, one of: ALL_PERMISSIONS,
* SANDBOX_PERMISSIONS, J2EE_PERMISSIONS.
@@ -132,35 +160,19 @@ public class SecurityDesc {
* permissions granted depending on the security type.
*/
public PermissionCollection getPermissions() {
- Permissions permissions = new Permissions();
+ PermissionCollection permissions = getSandBoxPermissions();
- // all
+ // discard sandbox, give all
if (type == ALL_PERMISSIONS) {
+ permissions = new Permissions();
permissions.add(new AllPermission());
return permissions;
}
- // restricted
- if (type == SANDBOX_PERMISSIONS) {
- for (int i=0; i < sandboxPermissions.length; i++)
- permissions.add(sandboxPermissions[i]);
-
- if (downloadHost != null)
- permissions.add(new SocketPermission(downloadHost,
- "connect, accept"));
- }
-
- // j2ee
+ // add j2ee to sandbox if needed
if (type == J2EE_PERMISSIONS)
for (int i=0; i < j2eePermissions.length; i++)
permissions.add(j2eePermissions[i]);
-
- // properties
- PropertyDesc props[] = file.getResources().getProperties();
- for (int i=0; i < props.length; i++) {
- // should only allow jnlp.* properties if in sandbox?
- permissions.add(new PropertyPermission(props[i].getKey(), "read,write"));
- }
return permissions;
}
@@ -175,16 +187,13 @@ public class SecurityDesc {
for (int i=0; i < sandboxPermissions.length; i++)
permissions.add(sandboxPermissions[i]);
+ if (file.isApplication())
+ for (int i=0; i < jnlpRIAPermissions.length; i++)
+ permissions.add(jnlpRIAPermissions[i]);
+
if (downloadHost != null)
permissions.add(new SocketPermission(downloadHost,
"connect, accept"));
-
- // properties
- PropertyDesc props[] = file.getResources().getProperties();
- for (int i=0; i < props.length; i++) {
- // should only allow jnlp.* properties if in sandbox?
- permissions.add(new PropertyPermission(props[i].getKey(), "read,write"));
- }
return permissions;
}
diff -r 7763083fc25d -r 30dc9370beba rt/net/sourceforge/jnlp/resources/Messages.properties
--- a/rt/net/sourceforge/jnlp/resources/Messages.properties Mon Jul 26 20:51:29 2010 +0100
+++ b/rt/net/sourceforge/jnlp/resources/Messages.properties Tue Jul 27 22:55:15 2010 +0100
@@ -52,6 +52,8 @@ LCantDetermineMainClassInfo=Could not de
LCantDetermineMainClassInfo=Could not determine the main class for this application.
LUnsignedJarWithSecurity=Cannot grant permissions to unsigned jars.
LUnsignedJarWithSecurityInfo=Application requested security permissions, but jars are not signed.
+LSignedAppJarUsingUnsignedJar=Signed application using unsigned jars.
+LSignedAppJarUsingUnsignedJarInfo=The main application jar is signed, but some of the jars it is using aren't.
JNotApplet=File is not an applet.
JNotApplication=File is not an application.
diff -r 7763083fc25d -r 30dc9370beba rt/net/sourceforge/jnlp/runtime/ApplicationInstance.java
--- a/rt/net/sourceforge/jnlp/runtime/ApplicationInstance.java Mon Jul 26 20:51:29 2010 +0100
+++ b/rt/net/sourceforge/jnlp/runtime/ApplicationInstance.java Tue Jul 27 22:55:15 2010 +0100
@@ -17,17 +17,26 @@
package net.sourceforge.jnlp.runtime;
-import java.awt.*;
-import java.util.*;
-import java.util.List;
-import java.security.*;
+import java.awt.Window;
+import java.net.URL;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.CodeSource;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
+
import javax.swing.event.EventListenerList;
-import net.sourceforge.jnlp.*;
-import net.sourceforge.jnlp.event.*;
+import net.sourceforge.jnlp.JNLPFile;
+import net.sourceforge.jnlp.PropertyDesc;
+import net.sourceforge.jnlp.SecurityDesc;
+import net.sourceforge.jnlp.ShortcutDesc;
+import net.sourceforge.jnlp.event.ApplicationEvent;
+import net.sourceforge.jnlp.event.ApplicationListener;
import net.sourceforge.jnlp.security.SecurityWarningDialog.AccessType;
import net.sourceforge.jnlp.services.ServiceUtil;
-import net.sourceforge.jnlp.util.*;
+import net.sourceforge.jnlp.util.WeakList;
+import net.sourceforge.jnlp.util.XDesktopEntry;
/**
* Represents a running instance of an application described in a
@@ -159,6 +168,16 @@ public class ApplicationInstance {
*/
void installEnvironment() {
final PropertyDesc props[] = file.getResources().getProperties();
+
+ CodeSource cs = new CodeSource((URL) null, (java.security.cert.Certificate [])null);
+
+ JNLPClassLoader loader = (JNLPClassLoader) this.loader;
+ SecurityDesc s = loader.getSecurity();
+
+ ProtectionDomain pd = new ProtectionDomain(cs, s.getPermissions(), null, null);
+
+ // Add to hashmap
+ AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] {pd});
PrivilegedAction installProps = new PrivilegedAction() {
public Object run() {
@@ -169,7 +188,7 @@ public class ApplicationInstance {
return null;
}
};
- AccessController.doPrivileged(installProps);
+ AccessController.doPrivileged(installProps, acc);
}
/**
diff -r 7763083fc25d -r 30dc9370beba rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Mon Jul 26 20:51:29 2010 +0100
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Jul 27 22:55:15 2010 +0100
@@ -26,6 +26,7 @@ import java.net.URLClassLoader;
import java.net.URLClassLoader;
import java.security.AccessControlContext;
import java.security.AccessController;
+import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
@@ -140,6 +141,9 @@ public class JNLPClassLoader extends URL
/** File entries in the jar files available to this classloader */
private TreeSet jarEntries = new TreeSet();
+ /** Map of specific codesources to securitydesc */
+ private HashMap<URL, SecurityDesc> jarLocationSecurityMap = new HashMap<URL, SecurityDesc>();
+
/**
* Create a new JNLPClassLoader from the specified file.
*
@@ -250,24 +254,19 @@ public class JNLPClassLoader extends URL
JNLPClassLoader extLoader = (JNLPClassLoader) urlToLoader.get(uniqueKey);
if (extLoader != null && extLoader != loader) {
- for (URL u : loader.getURLs())
- extLoader.addURL(u);
- for (File nativeDirectory: loader.getNativeDirectories())
- extLoader.addNativeDirectory(nativeDirectory);
- loader = extLoader;
+ if (loader.signing && !extLoader.signing)
+ if (!SecurityWarningDialog.showNotAllSignedWarningDialog(file))
+ throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedAppJarUsingUnsignedJar"), R("LSignedAppJarUsingUnsignedJarInfo"));
+
+ loader.merge(extLoader);
}
// loader is now current + ext. But we also need to think of
// the baseLoader
if (baseLoader != null && baseLoader != loader) {
- for (URL u : loader.getURLs())
- baseLoader.addURL(u);
- for (File nativeDirectory: loader.getNativeDirectories())
- baseLoader.addNativeDirectory(nativeDirectory);
-
- loader = baseLoader;
- }
+ loader.merge(baseLoader);
+ }
} else {
// if key is same and locations match, this is the loader we want
@@ -403,6 +402,10 @@ public class JNLPClassLoader extends URL
if (js.anyJarsSigned()){
signing = true;
+ if (!js.allJarsSigned() &&
+ !SecurityWarningDialog.showNotAllSignedWarningDialog(file))
+ throw new LaunchException(file, null, R("LSFatal"), R("LCClient"), R("LSignedAppJarUsingUnsignedJar"), R("LSignedAppJarUsingUnsignedJarInfo"));
+
//user does not trust this publisher
if (!js.getAlreadyTrustPublisher()) {
checkTrustWithUser(js);
@@ -417,6 +420,34 @@ public class JNLPClassLoader extends URL
signing = false;
//otherwise this jar is simply unsigned -- make sure to ask
//for permission on certain actions
+ }
+ }
+
+ for (JARDesc jarDesc: file.getResources().getJARs()) {
+ try {
+ URL location = tracker.getCacheFile(jarDesc.getLocation()).toURI().toURL();
+ SecurityDesc jarSecurity = file.getSecurity();
+
+ if (file instanceof PluginBridge) {
+
+ URL codebase = null;
+
+ if (file.getCodeBase() != null) {
+ codebase = file.getCodeBase();
+ } else {
+ //Fixme: codebase should be the codebase of the Main Jar not
+ //the location. Although, it still works in the current state.
+ codebase = file.getResources().getMainJAR().getLocation();
+ }
+
+ jarSecurity = new SecurityDesc(file,
+ SecurityDesc.ALL_PERMISSIONS,
+ codebase.getHost());
+ }
+
+ jarLocationSecurityMap.put(location, jarSecurity);
+ } catch (MalformedURLException mfe) {
+ System.err.println(mfe.getMessage());
}
}
@@ -501,13 +532,15 @@ public class JNLPClassLoader extends URL
// set default perms
PermissionCollection permissions = security.getSandBoxPermissions();
- // If more than default is needed, evaluate based on codesource
More information about the distro-pkg-dev
mailing list