[rfc][icedtea-web] Strip parameters from document-base
Adam Domurad
adomurad at redhat.com
Wed Apr 3 07:09:09 PDT 2013
On 03/28/2013 07:53 AM, Jiri Vanek wrote:
> On 03/27/2013 09:20 PM, Adam Domurad wrote:
>> It appears having parameters in the URL for the stored document-base
>> can cause problems with some
>> applets, namely the Oracle LMS applet.
>>
>> A small bit of refactoring is needed to move the URL stripping code:
>>
>> Refactoring ChangeLog:
>> 2013-03-26 Adam Domurad <adomurad at redhat.com>
>>
>> *
>>
netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java
>>
>> (normalizeUrlAndStripParams): Moved.
>> * netx/net/sourceforge/jnlp/util/UrlUtils.java
>> (normalizeUrlAndStripParams): New, moved from
>> UnsignedAppletTrustConfirmation.
>> *
>>
tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmationTest.java
>>
>>
>> (testNormalizeUrlAndStripParams): Moved.
>> * tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java:
>> New, has (testNormalizeUrlAndStripParams) from
>> UnsignedAppletTrustConfirmationTest.
>>
>>
>> And the fix itself:
>> 2013-03-26 Adam Domurad <adomurad at redhat.com>
>>
>> * netx/net/sourceforge/jnlp/NetxPanel.java
>> (NetxPanel): Ensure documentURL has stripped parameters
>>
>> Happy hacking,
>> -Adam
>
> The refactoring is ok. But to use completely stripped codeabse in base
> codebase sounds to me as quite big change. As far as i looked, I was
> not able to judge all the impact and would rather stay with more
> conservative change or with very deep testing of this change on your
> side.
Actually, stripping in the code-base was always done. The bug was that
URL's such as:
http://example.com/?test/
Were not being stripped properly, because the last part looked like a
directory.
However after further testing it looks like Oracle does not strip the
document-base. It was a bit ugly but I have managed to ensure that our
documentbase & codebase are always the same as Oracle's.
There is some refactoring attached that moves normalizeUrl from
ResourceTracker to UrlUtils, as well as adding an option whether to
encode file:// based URL's or not. For compatibility purposes, we must
encode URL's in the code-base & document-base, even if local. This is a
good idea for matching purposes too.
However, for actually accessing these URL's, the file:// based URL's
should not be encoded.
add-url-utils.patch ChangeLog:
2013-04-02 Adam Domurad <adomurad at redhat.com>
* netx/net/sourceforge/jnlp/cache/ResourceTracker.java: Remove no
longer used constants. Remove (normalizeUrl). Update calls.
* netx/net/sourceforge/jnlp/cache/CacheUtil.java: Expand imports.
Update calls.
*
netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java:
Ensure file://-protocol URLs are encoded.
* netx/net/sourceforge/jnlp/util/UrlUtils.java: Add (normalizeUrl),
and related utility methods. Allow for optionally encoding file://
URLs.
There is some non-ideal code in the fix itself, because first we pass a
stripped document-base, and then restore it to its original form. I
blame this on the rigidity of inheriting from AppletViewerPanel, but I
did not want to remove this inheritance in this patch.
properly-strip-codebase.patch:
2013-04-02 Adam Domurad <adomurad at redhat.com>
Ensure code-base is stripped of parameters that look like
directories.
* netx/net/sourceforge/jnlp/NetxPanel.java
(NetxPanel): Ensure code-base is created from stripped
document-base.
Don't strip document-base itself.
(runLoader): Ensure URL used for resource loaded is not
encoded.
The biggest change I think is the fact that the document-base &
code-base are now encoded, otherwise code-bases were (almost) always
stripped already. The code-base is decoded for resource-loading
purposes, as it was before.
It looks fine from my testing (so far).
-Adam
>
> J.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add-url-utils.patch
Type: text/x-patch
Size: 11651 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130403/0ed90043/add-url-utils.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: properly-stripped-codebase.patch
Type: text/x-patch
Size: 1588 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130403/0ed90043/properly-stripped-codebase.patch
More information about the distro-pkg-dev
mailing list