[Bug 1204] New: Archive URL wrongly resolved

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Mon Oct 29 06:50:20 PDT 2012 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1204

          Priority: P3
            Bug ID: 1204
                CC: unassigned at icedtea.classpath.org
          Assignee: dbhole at redhat.com
           Summary: Archive URL wrongly resolved
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: vigouroux.christophe at gmail.com
          Hardware: x86
            Status: NEW
           Version: unspecified
         Component: Plugin
           Product: IcedTea-Web

Created attachment 784
  --> http://icedtea.classpath.org/bugzilla/attachment.cgi?id=784&action=edit
IcedTea plugin logs

Using OpenJDK 1.7.0_07 and IcedTea7 2.3.2.

Given the following embed tag :
<EMBED ARCHIVE="/app/res/pub/channel.jar?i=494C1D32447EADED3EF03904622E36D3"
CODE="cti.secch.applet.JavaDetectionApplet.class" height="1" width="1" >
...
</EMBED>

Note the specifics of the URL:
- absolute path begining with "/"
- query parameter "i=..."
- document base is https://www.myapp.com/app/jsp/

Then, IcedTea plugin tries to resolve the folowing URL:
https://www.myapp.com//app/res/pub/channel.jar

There are two problems:
- the double slash ("//")
- the parameter is removed from the URL

It impacts our application, because for security reasons, we do some
mod_rewrite stuff to whitelist all valid URLs. The URL with double slash and
with the missing parameter does not pass mod_rewrite validation, and thus an
error document is issued to the java plugin, not allowing the applet to
bootstrap. We don't want to lower our URL security model to accept these
limitations, as long as the Oracle's implementation works fine with archives
using URL query parameters and absolute paths.

See the attached logs for detailled information.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20121029/2c414257/attachment.html

More information about the distro-pkg-dev mailing list