[RFC][plugin]: class in CWD can block applet from loading.

Denis Lila dlila at redhat.com
Tue Apr 5 09:01:49 PDT 2011 

> We store a lot of things in .icedtea. It is technically possible for
> a malicious applet to access items in .icedtea, which include not just
> cache, but things like trusted certificate list.
> 
> Furthermore, ~/.icedtea exposes user.home

I see.

> I would set it to ICEDTEA_WEB_JRE/lib/rt.jar

The attached patch does that. It also includes the fix for javaws.
Is it ok?

ChangeLog:
+2011-04-05  Denis Lila  <dlila at redhat.com>
+
+	* plugin/icedteanp/IcedTeaNPPlugin.cc
+	(plugin_start_appletviewer): Replace hardcoded indices
+	with a variable; roll up free calls in a loop; fix whitespace;
+	set classpath to ICEDTEA_WEB_JRE/lib/rt.jar.
+	* launcher/javaws.in:
+	Set class path to JRE/lib/rt.jar.
+	* Makefile.am:
+	Replace @JRE@ with $(JRE) in edit_launcher_script.
+

Regards,
Denis.

----- Original Message -----
> * Denis Lila <dlila at redhat.com> [2011-03-29 14:38]:
> > Hi.
> >
> 
> After a fair bit of investigation on other possible solutions by
> Denis,
> this seems to be the best way.
> 
> > + {
> > + command_line = (gchar**) malloc(sizeof(gchar*)*8);
> > + command_line[cmd_num++] = g_strdup(appletviewer_executable);
> > + command_line[cmd_num++] = g_strdup(PLUGIN_BOOTCLASSPATH);
> > + command_line[cmd_num++] = g_strdup("-classpath");
> > + command_line[cmd_num++] = g_strdup("~/.icedtea");
> 
> 
> The patch is mostly fine, but the -classpath should not be set to
> .icedtea.
> 
> 
> Cheers,
> Deepak
> 
> > + command_line[cmd_num++] = g_strdup("sun.applet.PluginMain");
> > + command_line[cmd_num++] = g_strdup(out_pipe_name);
> > + command_line[cmd_num++] = g_strdup(in_pipe_name);
> > + command_line[cmd_num] = NULL;
> > + }
> >
> >    environment = plugin_filter_environment();
> >
> > @@ -1590,25 +1595,9 @@
> >
> >    g_strfreev (environment);
> >
> > - g_free (command_line[0]);
> > - command_line[0] = NULL;
> > - g_free (command_line[1]);
> > - command_line[1] = NULL;
> > - g_free (command_line[2]);
> > - command_line[2] = NULL;
> > - g_free (command_line[3]);
> > - command_line[3] = NULL;
> > - g_free (command_line[4]);
> > - command_line[4] = NULL;
> > -
> > - if (plugin_debug)
> > - {
> > - g_free (command_line[5]);
> > - command_line[5] = NULL;
> > - g_free (command_line[6]);
> > - command_line[6] = NULL;
> > - g_free (command_line[7]);
> > - command_line[7] = NULL;
> > + for (int i = 0; i < cmd_num; i++) {
> > + g_free (command_line[i]);
> > + command_line[i] = NULL;
> >    }
> >
> >    g_free(command_line);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hg.diff
Type: text/x-patch
Size: 5378 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110405/1817b72d/hg.diff

More information about the distro-pkg-dev mailing list