[rfc][icedtea-web] fix for RH816592
Deepak Bhole
dbhole at redhat.com
Thu May 24 08:28:47 PDT 2012
* Jiri Vanek <jvanek at redhat.com> [2012-05-24 09:40]:
> On 05/23/2012 05:45 PM, Jiri Vanek wrote:
> >On 05/23/2012 05:36 PM, Omair Majid wrote:
> >>On 05/23/2012 10:22 AM, Deepak Bhole wrote:
> >>>* Jiri Vanek<jvanek at redhat.com> [2012-05-03 08:21]:
> >>>>This patch is fixing
> >>>>https://bugzilla.redhat.com/show_bug.cgi?id=816592 reproduced in
> >>>>[rfc][icedtea-web] reproducer for RH816592
> >>>>(http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-May/018357.html)
> >>>>
> >>>>This patch have small (one output message) overleap with [rfc]
> >>>>[icedtea-web] providing little bit more debug outputs for few
> >>>>methods (http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-April/018332.html)
> >>>>
> >>>
> >>>This patch tries to manually add an entry to the security map. However it should not
> >>>be needed. Whatever is adding the jar should add an entry to the map --
> >>>the bug should be fixed there IMO.
> >
> >Hmmm. I Believe that there is reflection used to inject the jar into classlaoder. So if I will
> >overwrite addUrl method (which is the best place to do this) this can be still walked around. Thats
> >why I have chosen this place..
> >
> >But I admit my originalpatch must be improved for not searching again for already searched resources.
> >>
>
> I elaborated little bit above sources of jmol
> (http://jmol.sourceforge.net/demo/atoms/) and I have NOT FOUND
> where they are injecting theirs jars :-/
>
> So I have prepared testing fix (the WRONG one) which was checkigg if
> somebody is using addURL by reflection (which I consider as best way
> to do and I have used in my reproducer - (http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-May/018357.html).
> However it appeared that not jmol nor geogebra are using this
> approach.
>
> Today I have traversed through jmol code and have not find how tehy are getting the sources in:-/
> They are using for preloading Class.forName in few first lines of
> app, but in thsi time there IS already requested jar which is not
> declared on classpath of applet (well.. object generated
> byjavascript :-/) tag.
> But it can be anything. Even direct reflection to field holding urls
> in UrlClassLaoder or some JS as it looks like in jmol.... In this
> case everything hook upon any method is in vain. But My original
> solution WILL work for all this cases O:)
>
>
> J.
>
> The improved patch is fixing possible exception thrown and repeated
> reloading of resources in case of failure.
>
Hi Jiri,
This is still not solving the root issue -- why does the resource not
have an entry in the map? Whatever is getting that resource should be
adding it. getCodeSourceSecurity should only be doing a simple look up
on security and returning what is already known.
Cheers,
Deepak
> 2012-05-24 Jiri Vanek <jvanek at redhat.com>
>
> Fix for RH816592
> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java:
> (getCodeSourceSecurity): will now try to download and verify resource
> which was downloaded outside of netx.
> (alreadyTried) set for memory of once tried resources to not try again
>
> >>This is an implementation-specific behaviour of the proprietary javaws
> >>that some programs seem to rely on. We have other bugs caused by the
> >>same issue too: PR568 [1] and PR839.
> >
> >Yap. As I already wrote it is brutal:)
> >>
> >>Cheers,
> >>Omair
> >>
> >>[1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=568
> >>[2] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=839
> >
>
> diff -r f6eddd071004 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed May 23 13:02:58 2012 -0400
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu May 24 15:24:40 2012 +0200
> @@ -167,6 +167,9 @@
> /** Map of specific original (remote) CodeSource Urls to securitydesc */
> private HashMap<URL, SecurityDesc> jarLocationSecurityMap =
> new HashMap<URL, SecurityDesc>();
> +
> + /*Set to prevent once tried-to-get resources to be tried again*/
> + private Set<URL> alreadyTried = Collections.synchronizedSet(new HashSet<URL>());
>
> /** Loader for codebase (which is a path, rather than a file) */
> private CodeBaseClassLoader codeBaseLoader;
> @@ -1755,11 +1758,27 @@
>
> protected SecurityDesc getCodeSourceSecurity(URL source) {
> SecurityDesc sec=jarLocationSecurityMap.get(source);
> + if (!alreadyTried.contains(source)) {
> + alreadyTried.add(source);
> + //try to load the jar which is requesting the permissions, but was NOT downloaded by standard way
> + if (JNLPRuntime.isDebug()) {
> + System.out.println("Application is trying to get permissions for " + source.toString() + ", which was not added by standard way. Trying to download and verify!");
> + }
> + try {
> + JARDesc des = new JARDesc(source, null, null, false, false, false, false);
> + addNewJar(des);
> + sec = jarLocationSecurityMap.get(source);
> + } catch (Throwable t) {
> + if (JNLPRuntime.isDebug()) {
> + t.printStackTrace();
> + }
> + sec = null;
> + }
> + }
> if (sec == null){
> System.out.println(Translator.R("LNoSecInstance",source.toString()));
> }
> return sec;
> -
> }
>
> /**
> diff -r dbd09685dc01 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu May 24 11:11:27 2012 +0200
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu May 24 15:03:00 2012 +0200
> @@ -1069,7 +1069,7 @@
> // there is no remote URL for this, so lets fake one
> URL fakeRemote = new URL(jar.getLocation().toString() + "!" + je.getName());
> CachedJarFileCallback.getInstance().addMapping(fakeRemote, fileURL);
> - addURL(fakeRemote);
> + addInternalURL(fakeRemote);
>
> SecurityDesc jarSecurity = file.getSecurity();
>
> @@ -1105,7 +1105,7 @@
>
> }
>
> - addURL(jar.getLocation());
> + addInternalURL(jar.getLocation());
>
> // there is currently no mechanism to cache files per
> // instance.. so only index cached files
> @@ -1499,7 +1499,7 @@
> }
> });
>
> - addURL(remoteURL);
> + addInternalURL(remoteURL);
> CachedJarFileCallback.getInstance().addMapping(remoteURL, cachedUrl);
>
> } catch (Exception e) {
> @@ -1746,17 +1746,48 @@
> return security;
> }
>
> + protected void addInternalURL(URL url) {
> + super.addURL(url);
> + }
> +
> + Set<URL> accessedFor = Collections.synchronizedSet(new HashSet<URL>());
> + @Override
> + protected void addURL(URL url) {
> + new Exception().printStackTrace();
> + if (!accessedFor.contains(url)) {
> + accessedFor.add(url);
> + super.addURL(url);
> + System.out.println("Accessed addURL because of " + url.toString() + ", which was not added by standard way. Trying to download and verify!");
> + JARDesc des = new JARDesc(url, null, null, false, false, false, false);
> + addNewJar(des);
> + }
> + }
> +
> +
> +
> /**
> * Returns the security descriptor for given code source URL
> *
> * @param source the origin (remote) url of the code
> * @return The SecurityDescriptor for that source
> */
> +
> + Set<URL> alreadyTried = Collections.synchronizedSet(new HashSet<URL>());
>
> protected SecurityDesc getCodeSourceSecurity(URL source) {
> - SecurityDesc sec=jarLocationSecurityMap.get(source);
> - if (sec == null){
> - System.out.println(Translator.R("LNoSecInstance",source.toString()));
> + SecurityDesc sec = jarLocationSecurityMap.get(source);
> + if (sec == null) {
> + if (!alreadyTried.contains(source)) {
> + //try to load the jar which is requesting the permissions, but was NOT downloaded by standard way
> + alreadyTried.add(source);
> + System.out.println("Application is trying to get permissions for " + source.toString() + ", which was not added by standard way. Trying to download and verify!");
> + JARDesc des = new JARDesc(source, null, null, false, false, false, false);
> + addNewJar(des);
> + sec = jarLocationSecurityMap.get(source);
> + }
> + }
> + if (sec == null) {
> + System.out.println(Translator.R("LNoSecInstance", source.toString()));
> }
> return sec;
>
> @@ -1778,7 +1809,7 @@
>
> // jars
> for (URL u : extLoader.getURLs())
> - addURL(u);
> + addInternalURL(u);
>
> // Codebase
> addToCodeBaseLoader(extLoader.file.getCodeBase());
> @@ -1814,7 +1845,7 @@
> if (codeBaseLoader == null) {
> codeBaseLoader = new CodeBaseClassLoader(new URL[] { u }, this);
> } else {
> - codeBaseLoader.addURL(u);
> + codeBaseLoader.addInternalURL(u);
> }
> }
>
> @@ -1916,6 +1947,10 @@
>
> @Override
> public void addURL(URL url) {
> + new Exception().printStackTrace();
> + super.addURL(url);
> + }
> + public void addInternalURL(URL url) {
> super.addURL(url);
> }
>
More information about the distro-pkg-dev
mailing list