/hg/icedtea-web: add configuration support for user prompts and ...

Deepak Bhole dbhole at redhat.com
Tue Nov 23 11:54:48 PST 2010 

* Omair Majid <omajid at redhat.com> [2010-11-23 14:50]:
> On 11/18/2010 12:02 PM, omajid at icedtea.classpath.org wrote:
> >changeset 88d31285a14b in /hg/icedtea-web
> >details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=88d31285a14b
> >author: Omair Majid<omajid at redhat.com>
> >date: Thu Nov 18 11:55:26 2010 -0500
> >
> >	add configuration support for user prompts and other access control
> >	options
> >
> 
> I found a problem with this changeset.
> 
> >@@ -187,6 +188,11 @@ public class SecurityDesc {
> >          for (int i=0; i<  sandboxPermissions.length; i++)
> >              permissions.add(sandboxPermissions[i]);
> >
> >+        String key = DeploymentConfiguration.KEY_SECURITY_ALLOW_HIDE_WINDOW_WARNING;
> >+        if (Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(key)) == Boolean.TRUE) {
> >+            permissions.add(new AWTPermission("showWindowWithoutWarningBanner"));
> >+        }
> >+
> 
> This leads to infinite recursion if the caller does not have full
> privileges. This calls DeploymentConfiguration, which calls
> JNLPSecurityManager which calls JNLPClassLoader which in turn calls
> SecurityDesc again. I dont know how this bug made it past my tests
> :/ The fix is attached.
> 

Looks good, ok for HEAD!

Cheers,
Deepak

> Thanks,
> Omair

> diff -r dd77da50a226 netx/net/sourceforge/jnlp/SecurityDesc.java
> --- a/netx/net/sourceforge/jnlp/SecurityDesc.java	Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/SecurityDesc.java	Tue Nov 23 14:48:16 2010 -0500
> @@ -53,6 +53,9 @@
>      /** the download host */
>      private String downloadHost;
>  
> +    /** whether sandbox applications should get the show window without banner permission */
> +    private final boolean grantAwtPermissions;
> +
>      /** the JNLP file */
>      private JNLPFile file;
>  
> @@ -146,6 +149,9 @@
>          this.file = file;
>          this.type = type;
>          this.downloadHost = downloadHost;
> +
> +        String key = DeploymentConfiguration.KEY_SECURITY_ALLOW_HIDE_WINDOW_WARNING;
> +        grantAwtPermissions = Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(key));
>      }
>  
>      /**
> @@ -188,8 +194,7 @@
>          for (int i=0; i < sandboxPermissions.length; i++)
>              permissions.add(sandboxPermissions[i]);
>  
> -        String key = DeploymentConfiguration.KEY_SECURITY_ALLOW_HIDE_WINDOW_WARNING;
> -        if (Boolean.valueOf(JNLPRuntime.getConfiguration().getProperty(key)) == Boolean.TRUE) {
> +        if (grantAwtPermissions) {
>              permissions.add(new AWTPermission("showWindowWithoutWarningBanner"));
>          }
>

More information about the distro-pkg-dev mailing list