[icedtea-web] RFC: Patch to fix PR794 (Class-Path element processing)

Omair Majid omajid at redhat.com
Tue Sep 27 18:07:01 PDT 2011 

On 09/27/2011 06:07 PM, Deepak Bhole wrote:
> Hi,
>
> Attached patch fixes PR794:
> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=794
>
> ChangeLog:
> 2011-09-27  Deepak Bhole<dbhole at redhat.com>
>
>      PR794: IcedTea-Web does not work if a Web Start app jar has a Class-Path
>      element in the manifest.
>      * netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java
>      (retrieve): Blank out the Class-Path elements in manifest.
>      * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>      (activateJars): Only load Class-Path elements if this is an applet. Add a
>      security mapping for jars from the Class-Path.
>
> Okay for HEAD and 1.1?
>

While the overall idea looks fine to me, I have a few concerns noted 
inline below.

> diff -r 0a1733685325 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Fri Sep 23 12:14:39 2011 -0400
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java	Tue Sep 27 18:02:12 2011 -0400
> @@ -779,7 +778,15 @@
>
>                               JarFile jarFile = new JarFile(localFile.getAbsolutePath());
>                               Manifest mf = jarFile.getManifest();
> -                            classpaths.addAll(getClassPathsFromManifest(mf, jar.getLocation().getPath()));
> +
> +                            if (file instanceof PluginBridge) {
> +                                for (String classpath: getClassPathsFromManifest(mf, jar.getLocation().getPath())) {
> +                                    URL codebaseURL = file.getCodeBase();
> +                                    jarLocationSecurityMap.put(new URL(codebaseURL.getProtocol() + "://" + codebaseURL.getHost() + classpath), jarSecurity);

I have a concern about this line here ^

Is this jar being verified before we grant it permissions? It's not 
obvious from the patch that we are.

Also, a nitpick: we are ignoring any possible port numbers in 
codebaseURL. Other code in this class does something along the lines of:

new URL(codebaseURL, classpath)

Thanks for tracking down the cause of this bug and fixing it!

Cheers,
Omair

More information about the distro-pkg-dev mailing list