[rfc][icedtea-web] Ignore invalid .jar files in applets [resubmit]

Jiri Vanek jvanek at redhat.com
Tue Jul 3 11:59:25 PDT 2012


On 06/18/2012 04:42 PM, Adam Domurad wrote:
> Hey all, re-submitting my patch, as Jiri requested.
>
> ChangeLog:
> 2012-05-28  Adam Domurad<adomurad at redhat.com>
>
> 	Ignore invalid jar files in applets, like the oracle plugin does.
> 	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
> 	(isInvalidJar): New, checks for ZipException in new JarFile(...)
> 	(shouldFilterInvalidJars): New, checks if we are in an applet
> 	(initializeResources): if 'shouldFilterInvalidJars()' is true and a jar
> 	is not a valid jar file, the jar is filtered out and normal execution
> 	continues.
>

Looks very eell. Just few question inline
>
>
> On Mon, 2012-05-28 at 15:26 -0400, Adam Domurad wrote:
>> >  Hey all. Second try at a patch to ignore invalid .jar files, this time
>> >  only affecting applets (ie, not pages that use jnlp_href).
>> >
>> >  The proprietary plug-in seems to just skip over any malformed .jar files
>> >  and carry on loading in, while in applets. This patch emulates that
>> >  behaviour. Pages with jnlp_href still crash with a ZipException on jar
>> >  verification (the proprietary plugin also fatally errors).
>> >
>> >  This alleviates some of the symptoms of
>> >  http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1011
>> >  Once this patch has been accepted in some form, I hope to make it so
>> >  that the plugin will parse folders differently than jar files and look
>> >  for resources in folders like the proprietary plug-in does.
>> >
>> >  Le ChangeLog:
>> >  2012-05-28  Adam Domurad<adomurad at redhat.com>
>> >
>> >  	Ignore invalid jar files in applets, like the oracle plugin does.
>> >  	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
>> >  	(isValidJar): New, checks for ZipException in new JarFile(...)
>> >  	(shouldIgnoreInvalidJars): New, checks if we are in an applet
>> >  	(initializeResources): if 'shouldIgnoreInvalidJars()' is true and a jar
>> >  	is not a valid jar file, the jar is filtered out and normal execution
>> >  	continues.
>> >
>
>
> patch-attempt-3.patch
>
>
> diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> @@ -42,6 +42,7 @@ import java.util.Collections;
>   import java.util.Enumeration;
>   import java.util.HashMap;
>   import java.util.HashSet;
> +import java.util.Iterator;
>   import java.util.LinkedList;
>   import java.util.List;
>   import java.util.Map;
> @@ -431,6 +432,39 @@ public class JNLPClassLoader extends URL
>       }
>
>       /**
> +     * Check if a described jar file is invalid
> +     * @param jar the jar to check
> +     * @return true if file exists AND is an invalid jar, false otherwise
> +     */
> +    private boolean isInvalidJar(JARDesc jar){
> +        File cacheFile = tracker.getCacheFile(jar.getLocation());
> +        if (cacheFile == null)
> +            return false;//File cannot be retrieved, do not claim it is an invalid jar
> +        boolean isInvalid = false;
> +        try {
> +            JarFile jarFile = new JarFile(cacheFile.getAbsolutePath());
> +            jarFile.close();
> +        } catch (IOException ioe){
> +            //Catch a ZipException or any other read failure
> +            isInvalid = true;
> +        }
> +        return isInvalid;
> +    }
> +
> +    /**
> +     * Determine how invalid jars should be handled
> +     * @return whether to filter invalid jars, or error later on
> +     */
> +    private boolean shouldFilterInvalidJars(){
> +        if (file instanceof PluginBridge){
> +            PluginBridge pluginBridge = (PluginBridge)file;
> +            /*Ignore on applet, ie !useJNLPHref*/
> +            return !pluginBridge.useJNLPHref();
> +        }
> +        return false;//Error is default behaviour
> +    }
> +
> +    /**
>        * Load all of the JARs used in this JNLP file into the
>        * ResourceTracker for downloading.
>        */
> @@ -467,10 +501,26 @@ public class JNLPClassLoader extends URL
>           if (strict)
>               fillInPartJars(initialJars); // add in each initial part's lazy jars
>
> +        waitForJars(initialJars); //download the jars first.
> +
> +        //A ZipException will propagate later on if the jar is invalid and not checked here
> +        if (shouldFilterInvalidJars()){
> +            //We filter any invalid jars
> +            Iterator<JARDesc>  iterator = initialJars.iterator();
> +            while (iterator.hasNext()){
> +                JARDesc jar = iterator.next();
> +                if (isInvalidJar(jar)) {
> +                    //Remove this jar as an available jar
> +                    iterator.remove();
> +                    tracker.removeResource(jar.getLocation());
> +                    available.remove(jar);
> +                }
> +            }
> +        }
> +
>           if (JNLPRuntime.isVerifying()) {
>
>               JarCertVerifier jcv;
> -            waitForJars(initialJars); //download the jars first.

this removed line scares me a bit....
>
>               try {
>                   jcv = verifyJars(initialJars);
> @@ -533,6 +583,7 @@ public class JNLPClassLoader extends URL
>
>           for (JARDesc jarDesc : file.getResources().getJARs()) {
>               try {
> +
>                   File cachedFile = tracker.getCacheFile(jarDesc.getLocation());
>
>                   if (cachedFile == null) {
> @@ -570,6 +621,10 @@ public class JNLPClassLoader extends URL
>                   jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
>               } catch (MalformedURLException mfe) {
>                   System.err.println(mfe.getMessage());
> +            } catch (IllegalArgumentException iae){

Do you think it is possible to caught this exception on better place and rethrow our custom one, which will be then catches here? IllegalaRgument one is pretty common one.

> +                //Caused by ignored resource being removed due to not being valid

this should be in debug mode or message should go from Message.properties.

> +                System.err.println("JAR " + jarDesc.getLocation() + " is not a valid jar file. Continuing.");
> +                continue;
>               }
>           }
>           activateJars(initialJars);




More information about the distro-pkg-dev mailing list