[RFC][plugin]: class in CWD can block applet from loading.

Deepak Bhole dbhole at redhat.com
Fri Apr 1 08:24:20 PDT 2011 

* Denis Lila <dlila at redhat.com> [2011-03-29 16:23]:
> Is this ok?
> 
> +2011-03-29  Denis Lila  <dlila at redhat.com>
> +
> +	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> +	(loadClass): Look through our classes before trying
> +	the system class loader.
> 
> In this version I catch and ignore SecurityExceptions after
> calling findClass(name). This way, if we don't have permissions
> to load a class from the codebase we look through the system
> classloader, which is what we do now.
> 

This patch will not handle cases where the class is in a nested jar and
in cwd, as nested jar lookup is done afterwards.

Conversely, moving it lower won't work either because it would disable
any sort of lazy loading as the first lookup would cause it to try to
download everything.

I see this in the file:
// filter out 'bad' package names like java, javax
// validPackage(name); 

Seems at someone thought about making some sort of exception for system
classes, but didn't fully implement it.

Cheers,
Deepak

> Regards,
> Denis.
> 
> ----- Original Message -----
> > * Denis Lila <dlila at redhat.com> [2011-03-29 14:48]:
> > > > Isn't javaws affected by the problem as well?
> > >
> > > I'm not sure. I'm testing it right now, but I thought
> > > I should post my idea for the fix first. It seems like
> > > the kind of thing with a high likelihood of someone not
> > > liking it. If that were the case, I wouldn't have wanted
> > > to waste time implementing it for javaws too.
> > >
> > 
> > Well, we control the classloader. So if javaws is affected as well
> > (and
> > it most likely will be, given the issue), it'd best to fix it in the
> > classloader than faking a classpath for the system classloader.
> > 
> > Cheers,
> > Deepak
> > 
> > > However, just looking at the code, I would say yes, javaws
> > > is also affected.
> > >
> > > Regards,
> > > Denis.
> > >
> > > ----- Original Message -----
> > > > * Denis Lila <dlila at redhat.com> [2011-03-29 14:38]:
> > > > > Hi.
> > > ...

> diff -r 3bbc4314e02c ChangeLog
> --- a/ChangeLog	Tue Mar 29 10:24:31 2011 -0400
> +++ b/ChangeLog	Tue Mar 29 16:21:20 2011 -0400
> @@ -1,3 +1,9 @@
> +2011-03-29  Denis Lila  <dlila at redhat.com>
> +
> +	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> +	(loadClass): Look through our classes before trying
> +	the system class loader.
> +
>  2011-03-29  Denis Lila <dlila at redhat.com>
>  
>  	* netx/net/sourceforge/jnlp/JNLPFile.java
> diff -r 3bbc4314e02c netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Mar 29 10:24:31 2011 -0400
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Mar 29 16:21:20 2011 -0400
> @@ -990,6 +990,11 @@
>          // try parent classloader
>          if (result == null) {
>              try {
> +                return findClass(name);
> +            } catch (ClassNotFoundException ex) {
> +            } catch (SecurityException ex) {
> +            }
> +            try {
>                  ClassLoader parent = getParent();
>                  if (parent == null)
>                      parent = ClassLoader.getSystemClassLoader();

More information about the distro-pkg-dev mailing list