[icedtea-web] RFC: check for nulls in JNLPPolicy.isSystemJar

Omair Majid omajid at redhat.com
Tue Mar 1 15:00:07 PST 2011 

On 03/01/2011 05:41 PM, Deepak Bhole wrote:
> * Deepak Bhole<dbhole at redhat.com>  [2011-03-01 17:23]:
>> * Omair Majid<omajid at redhat.com>  [2011-03-01 17:06]:
>>> On 03/01/2011 04:48 PM, Deepak Bhole wrote:
>>>> * Omair Majid<omajid at redhat.com>   [2011-03-01 16:41]:
>>>>> Hi,
>>>>>
>>>>> The attached patch adds a null check in JNLPPolicy.isSystemJar. It's
>>>>> needed as PluginAppletSecurityContext.getAccessControlContext
>>>>> creates CodeSources with null locations.
>>>>>
>>>>
>>>> Why is this needed? The function is only called from getPermissions()
>>>> which does a check on source prior to calling:
>>>>
>>>>          if (source.equals(systemSource) || source.equals(shellSource))
>>>>              return getAllPermissions();
>>>>
>>>
>>> Actually, the code is more like this:
>>>
>>>      public PermissionCollection getPermissions(CodeSource source) {
>>>          if (source.equals(systemSource) || source.equals(shellSource))
>>>              return getAllPermissions();
>>>
>>>          if (isSystemJar(source)) {
>>>              return getAllPermissions();
>>>          }
>>>
>>
>> Yep, I know. Which means source is (in some way) looked at before
>> calling isSystemJar.
>>
>>> If source is null (or, more importantly, if source.location is null)
>>> isSystemJar may still be called. Without this patch, isSystemJar
>>> will throw a NullPointerException instead of returning false.
>>>
>>
>> Well source can't be null else .equals will throw an NPE. As for
>> source.getLocation.. systemSource is derived as:
>>
>> systemSource = Policy.class.getProtectionDomain().getCodeSource()
>>
>> which will have location == null
>>
>> So in theory there should never be a case where isSystemJar is called
>> will null source or where source.getLocation is null.
>>
>
> Sorry, scratch that. Just came to mind that location won't be null for
> systemSource, source will be null. So what is an example where location
> is null?
>

Actually systemSource/shellSource are both null. To confirm that apply 
the attached patch and run:

$ ./javaws -about
icedtea-web 1.1pre+rc4b91b61f88e
Launching about window...
shellSource: null
systemSource: null
[..snip..]

Cheers,
Omair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.patch
Type: text/x-patch
Size: 719 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20110301/fce6fde2/test.patch

More information about the distro-pkg-dev mailing list