/hg/icedtea-web: add configuration support for user prompts and ...
Omair Majid
omajid at redhat.com
Tue Nov 23 11:50:52 PST 2010
On 11/18/2010 12:02 PM, omajid at icedtea.classpath.org wrote:
> changeset 88d31285a14b in /hg/icedtea-web
> details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=88d31285a14b
> author: Omair Majid<omajid at redhat.com>
> date: Thu Nov 18 11:55:26 2010 -0500
>
> add configuration support for user prompts and other access control
> options
>
I found a problem with this changeset.
> @@ -187,6 +188,11 @@ public class SecurityDesc {
> for (int i=0; i< sandboxPermissions.length; i++)
> permissions.add(sandboxPermissions[i]);
>
> + String key = DeploymentConfiguration.KEY_SECURITY_ALLOW_HIDE_WINDOW_WARNING;
> + if (Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(key)) == Boolean.TRUE) {
> + permissions.add(new AWTPermission("showWindowWithoutWarningBanner"));
> + }
> +
This leads to infinite recursion if the caller does not have full
privileges. This calls DeploymentConfiguration, which calls
JNLPSecurityManager which calls JNLPClassLoader which in turn calls
SecurityDesc again. I dont know how this bug made it past my tests :/
The fix is attached.
Thanks,
Omair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grant-awt-permissions-without-recursion-01.patch
Type: text/x-patch
Size: 1280 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101123/d851d5c3/grant-awt-permissions-without-recursion-01.patch
More information about the distro-pkg-dev
mailing list