/hg/release/icedtea-web-1.3: 9 new changesets
jvanek at icedtea.classpath.org
jvanek at icedtea.classpath.org
Wed Apr 17 01:14:50 PDT 2013
changeset 19f5282f53e8 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=19f5282f53e8
author: Jiri Vanek <jvanek at redhat.com>
date: Wed Apr 10 17:49:20 2013 +0200
Fixed gifar vulnereability with automated testcase
changeset ccc249a27004 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=ccc249a27004
author: Jiri Vanek <jvanek at redhat.com>
date: Wed Apr 10 18:28:07 2013 +0200
Improved Changelog and NEWS
changeset c8544250d5b2 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=c8544250d5b2
author: Jiri Vanek <jvanek at redhat.com>
date: Wed Apr 10 18:31:56 2013 +0200
Added CVE number
changeset 25dd7c7ac39c in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=25dd7c7ac39c
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Apr 11 12:29:47 2013 +0200
Fixed CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
changeset 88fb945c9397 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=88fb945c9397
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Apr 11 15:45:27 2013 +0200
Fix PR580: http://www.horaoficial.cl/ loads improperly. Applets that must share a class-loader now load sequentially.
changeset 2d76719a5e4d in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=2d76719a5e4d
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Apr 11 17:49:29 2013 +0200
Added various self-describing tests for codebase
changeset ed5f2b36fc74 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=ed5f2b36fc74
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Apr 11 18:04:48 2013 +0200
Removed pre from version id
changeset 785836ceee6d in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=785836ceee6d
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Apr 11 18:06:13 2013 +0200
Added tag icedtea-web-1.3.2 for changeset ed5f2b36fc74
changeset ded8ed9a9427 in /hg/release/icedtea-web-1.3
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.3?cmd=changeset;node=ded8ed9a9427
author: Jiri Vanek <jvanek at redhat.com>
date: Wed Apr 17 10:15:16 2013 +0200
configure.ac - updated to become 1.3.3pre
diffstat:
.hgtags | 1 +
ChangeLog | 82 ++
NEWS | 5 +
configure.ac | 2 +-
netx/net/sourceforge/jnlp/Launcher.java | 2 +-
netx/net/sourceforge/jnlp/NetxPanel.java | 7 +-
netx/net/sourceforge/jnlp/resources/Messages.properties | 3 +-
netx/net/sourceforge/jnlp/runtime/Boot.java | 4 +
netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java | 12 +-
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 97 +-
netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java | 22 +-
netx/net/sourceforge/jnlp/tools/JarCertVerifier.java | 36 +-
netx/net/sourceforge/jnlp/util/InvalidJarHeaderException.java | 49 +
netx/net/sourceforge/jnlp/util/JarFile.java | 153 ++++
tests/reproducers/custom/GifarCreator/srcs/Makefile | 17 +
tests/reproducers/signed/GifarBase/resources/gifarView_hacked.html | 48 +
tests/reproducers/signed/GifarBase/resources/gifarView_ok.html | 48 +
tests/reproducers/signed/GifarBase/resources/gifar_applet.jnlp | 65 +
tests/reproducers/signed/GifarBase/resources/gifar_application.jnlp | 60 +
tests/reproducers/signed/GifarBase/resources/happyNonAnimated.gif | Bin
tests/reproducers/signed/GifarBase/srcs/GifarMain.java | 212 ++++++
tests/reproducers/signed/GifarBase/testcases/GifarTestcases.java | 221 ++++++
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1-writer1.html | 46 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1-writer2.html | 46 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader2.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-writer1.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-writer2.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1-writer1.html | 46 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1-writer2.html | 46 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader2.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-writer1.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-writer2.html | 43 +
tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedClassLoaderApplet1.java | 50 +
tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedClassLoaderApplet2.java | 50 +
tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedSecret.java | 70 ++
tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_WrittenCompleteCodeBaseTest.java | 232 ++++++
tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_WrittenPartialStubCodeBaseTest.java | 250 +++++++
tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_dotCodeBaseTest.java | 340 ++++++++++
40 files changed, 2606 insertions(+), 60 deletions(-)
diffs (truncated from 3030 to 500 lines):
diff -r 6883b7d0a2fc -r ded8ed9a9427 .hgtags
--- a/.hgtags Wed Apr 10 15:37:00 2013 +0200
+++ b/.hgtags Wed Apr 17 10:15:16 2013 +0200
@@ -3,3 +3,4 @@
41f03d932cdf040a89d09c5683fcc7dac6fd2003 icedtea-web-1.2-branchpoint
03ac5dc76069aac927946ccc26698f52e1965260 icedtea-web-1.3
89d481ff6266fdd80f65afeb41b22f23e8371350 icedtea-web-1.3.1
+ed5f2b36fc7465fe54a25f57e4d3bd3cc8c325a3 icedtea-web-1.3.2
diff -r 6883b7d0a2fc -r ded8ed9a9427 ChangeLog
--- a/ChangeLog Wed Apr 10 15:37:00 2013 +0200
+++ b/ChangeLog Wed Apr 17 10:15:16 2013 +0200
@@ -1,3 +1,85 @@
+2013-04-11 Jiri Vanek <jvanek at redhat.com>
+
+ Added various self-describing tests for codebase
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1-writer1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1-writer2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-reader2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-writer1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet-writer2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1-writer1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1-writer2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-reader2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-writer1.html
+ * tests/reproducers/simple/AppletSharedClassLoader/resources/LaunchSharedClassLoaderApplet2-writer2.html
+ * tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedClassLoaderApplet1.java
+ * tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedClassLoaderApplet2.java
+ * tests/reproducers/simple/AppletSharedClassLoader/srcs/SharedSecret.java
+ * tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_WrittenCompleteCodeBaseTest.java
+ * tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_WrittenPartialStubCodeBaseTest.java
+ * tests/reproducers/simple/AppletSharedClassLoader/testcases/SharedClassLoaderApplet_dotCodeBaseTest.jav
+
+
+2013-04-11 Adam Domurad <adomurad at redhat.com>
+
+ Fix PR580: http://www.horaoficial.cl/ loads improperly. Applets that
+ must share a class-loader now load sequentially.
+ * NEWS:
+ Mention the fix.
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+ (getUniqueKeyLock): New, atomically grabs or creates a lock for the
+ unique key.
+ (getInstance): Ensure classloader initialization is locked by unique
+ key.
+ (decrementLoaderUseCount): Ensure classloader deinitialization is
+ locked by unique key, get rid of no-longer used locks.
+
+2013-04-11 Adam Domurad <adomurad at redhat.com>
+
+ CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with
+ same relative-path.
+ * netx/net/sourceforge/jnlp/NetxPanel.java: (NetxPanel) Construct
+ unique-key with absolute path
+
+2013-04-10 Jiri Vanek <jvanek at redhat.com>
+
+ Fixed gifar vulnereability with automated testcase
+ * netx/net/sourceforge/jnlp/util/JarFile.java: IcedTea-Web replacement for
+ java.util.jar.JarFile.java with capability to verify if the jar starts as jar
+ and not as something else (eg gif)
+ * netx/net/sourceforge/jnlp/Launcher.java: migrated to new JarFile
+ * netx/net/sourceforge/jnlp/resources/Messages.properties: added
+ BXignoreheaders key with description to new -Xignoreheaders switch
+ * netx/net/sourceforge/jnlp/runtime/Boot.java: added switch Xignoreheaders
+ to allow to disable the header verification.
+ * netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java:
+ migrated to new JarFile
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: improved
+ reporting of new JarFile exceptions
+ * netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java: new field
+ ignoreHeaders, informing about new JarFile whether to verify or not verify
+ headers. By default verifying, so have value of false.
+ * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: migrated to new JarFile
+ * netx/net/sourceforge/jnlp/util/InvalidJarHeaderException.java: new
+ not-checked exception to signify that jar is corrupted on headers level.
+ * tests/reproducers/custom/GifarCreator/srcs/Makefile: makefile to
+ join gif and jar to create gifar
+ * tests/reproducers/signed/GifarBase/resources/gifarView_hacked.html:
+ html with hacked gifar
+ * tests/reproducers/signed/GifarBase/resources/gifarView_ok.html:
+ html with valid gifs and jars
+ * tests/reproducers/signed/GifarBase/resources/gifar_applet.jnlp:
+ jnlp applet constructed from hacked gifar
+ * tests/reproducers/signed/GifarBase/resources/gifar_application.jnlp:
+ jnlp application constructed from hacked gifar
+ * tests/reproducers/signed/GifarBase/srcs/GifarMain.java:
+ Main method of reproducer
+ * tests/reproducers/signed/GifarBase/testcases/GifarTestcases.java:
+ Testing methods
+ * tests/reproducers/signed/GifarBase/resources/happyNonAnimated.gif:
+ binary file, image, gif, used to create hacked gifars
+
2013-04-10 Jiri Vanek <jvanek at redhat.com>
Fixed news
diff -r 6883b7d0a2fc -r ded8ed9a9427 NEWS
--- a/NEWS Wed Apr 10 15:37:00 2013 +0200
+++ b/NEWS Wed Apr 17 10:15:16 2013 +0200
@@ -9,8 +9,13 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release 1.3.2 (2013-04-17):
+* Security Updates
+ - CVE-2013-1927, RH884705: fixed gifar vulnerability
+ - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
* Common
- Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized.
+* NetX
+ - PR580: http://www.horaoficial.cl/ loads improperly
* Plugin
PR1260: IcedTea-Web should not rely on GTK
PR1157: Applets can hang browser after fatal exception
diff -r 6883b7d0a2fc -r ded8ed9a9427 configure.ac
--- a/configure.ac Wed Apr 10 15:37:00 2013 +0200
+++ b/configure.ac Wed Apr 17 10:15:16 2013 +0200
@@ -1,4 +1,4 @@
-AC_INIT([icedtea-web],[1.3.2pre],[distro-pkg-dev at openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web])
+AC_INIT([icedtea-web],[1.3.3pre],[distro-pkg-dev at openjdk.java.net], [icedtea-web], [http://icedtea.classpath.org/wiki/IcedTea-Web])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile netx.manifest])
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/Launcher.java
--- a/netx/net/sourceforge/jnlp/Launcher.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/Launcher.java Wed Apr 17 10:15:16 2013 +0200
@@ -29,7 +29,7 @@
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.jar.JarFile;
+import net.sourceforge.jnlp.util.JarFile;
import net.sourceforge.jnlp.cache.CacheUtil;
import net.sourceforge.jnlp.cache.UpdatePolicy;
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/NetxPanel.java
--- a/netx/net/sourceforge/jnlp/NetxPanel.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/NetxPanel.java Wed Apr 17 10:15:16 2013 +0200
@@ -77,11 +77,6 @@
* bad tag cannot trick the loader into getting shared with another.
*/
- // Firefox sometimes skips the codebase if it is default -- ".",
- // so set it that way if absent
- String codebaseAttr = atts.get("codebase") != null ?
- atts.get("codebase") : ".";
-
String cache_archiveAttr = atts.get("cache_archive") != null ?
atts.get("cache_archive") : "";
@@ -91,7 +86,7 @@
String archiveAttr = atts.get("archive") != null ?
atts.get("archive") : "";
- this.uKey = "codebase=" + codebaseAttr +
+ this.uKey = "codebase=" + getCodeBase().toExternalForm() +
"cache_archive=" + cache_archiveAttr +
"java_archive=" + java_archiveAttr +
"archive=" + archiveAttr;
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/resources/Messages.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Wed Apr 17 10:15:16 2013 +0200
@@ -94,7 +94,7 @@
LNotVerified=Jars not verified.
LCancelOnUserRequest=Canceled on user request.
LFatalVerification=A fatal error occurred while trying to verify jars.
-LFatalVerificationInfo=
+LFatalVerificationInfo=Description
LNotVerifiedDialog=Not all jars could be verified.
LAskToContinue=Would you still like to continue running this application?
@@ -185,6 +185,7 @@
BOViewer = Shows the trusted certificate viewer.
BXnofork = Do not create another JVM.
BXclearcache= Clean the JNLP application cache.
+BXignoreheaders= Skip jar header verification.
BOHelp = Print this message and exit.
# Cache
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/runtime/Boot.java
--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Apr 17 10:15:16 2013 +0200
@@ -102,6 +102,7 @@
+ " -strict " + R("BOStrict") + "\n"
+ " -Xnofork " + R("BXnofork") + "\n"
+ " -Xclearcache " + R("BXclearcache") + "\n"
+ + " -Xignoreheaders " + R("BXignoreheaders") + "\n"
+ " -help " + R("BOHelp") + "\n";
private static final String doubleArgs = "-basedir -jnlp -arg -param -property -update";
@@ -159,6 +160,9 @@
if (null != getOption("-Xtrustall")) {
JNLPRuntime.setTrustAll(true);
}
+ if (null != getOption("-Xignoreheaders")) {
+ JNLPRuntime.setIgnoreHeaders(true);
+ }
JNLPRuntime.setInitialArgments(Arrays.asList(argsIn));
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java
--- a/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/CachedJarFileCallback.java Wed Apr 17 10:15:16 2013 +0200
@@ -49,7 +49,7 @@
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
-import java.util.jar.JarFile;
+import net.sourceforge.jnlp.util.JarFile;
import net.sourceforge.jnlp.util.UrlUtils;
@@ -81,7 +81,7 @@
}
@Override
- public JarFile retrieve(URL url) throws IOException {
+ public java.util.jar.JarFile retrieve(URL url) throws IOException {
URL localUrl = mapping.get(url);
if (localUrl == null) {
@@ -122,8 +122,8 @@
/*
* This method is a copy of URLJarFile.retrieve() without the callback check.
*/
- private JarFile cacheJarFile(URL url) throws IOException {
- JarFile result = null;
+ private java.util.jar.JarFile cacheJarFile(URL url) throws IOException {
+ java.util.jar.JarFile result = null;
final int BUF_SIZE = 2048;
@@ -132,9 +132,9 @@
try {
result =
- AccessController.doPrivileged(new PrivilegedExceptionAction<JarFile>() {
+ AccessController.doPrivileged(new PrivilegedExceptionAction<java.util.jar.JarFile>() {
@Override
- public JarFile run() throws IOException {
+ public java.util.jar.JarFile run() throws IOException {
OutputStream out = null;
File tmpFile = null;
try {
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Wed Apr 17 10:15:16 2013 +0200
@@ -17,6 +17,10 @@
import static net.sourceforge.jnlp.runtime.Translator.R;
+import java.util.concurrent.locks.ReentrantLock;
+
+import java.util.concurrent.locks.Lock;
+
import java.io.Closeable;
import java.io.File;
import java.io.FileOutputStream;
@@ -56,7 +60,7 @@
import java.util.Vector;
import java.util.concurrent.ConcurrentHashMap;
import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
+import net.sourceforge.jnlp.util.JarFile;
import java.util.jar.Manifest;
import net.sourceforge.jnlp.AppletDesc;
@@ -106,9 +110,12 @@
/** True if the application has a signed JNLP File */
private boolean isSignedJNLP = false;
- /** map from JNLPFile url to shared classloader */
- private static Map<String, JNLPClassLoader> urlToLoader =
- new HashMap<String, JNLPClassLoader>(); // never garbage collected!
+ /** map from JNLPFile unique key to shared classloader */
+ private static Map<String, JNLPClassLoader> uniqueKeyToLoader = new ConcurrentHashMap<String, JNLPClassLoader>();
+
+ /** map from JNLPFile unique key to lock, the lock is needed to enforce correct
+ * initialization of applets that share a unique key*/
+ private static Map<String, ReentrantLock> uniqueKeyToLock = new HashMap<String, ReentrantLock>();
/** the directory for native code */
private File nativeDir = null; // if set, some native code exists
@@ -331,6 +338,26 @@
}
/**
+ * Gets the lock for a given unique key, creating one if it does not yet exist.
+ * This operation is atomic & thread-safe.
+ *
+ * @param file the file whose unique key should be used
+ * @return the lock
+ */
+ private static ReentrantLock getUniqueKeyLock(String uniqueKey) {
+ synchronized (uniqueKeyToLock) {
+ ReentrantLock storedLock = uniqueKeyToLock.get(uniqueKey);
+
+ if (storedLock == null) {
+ storedLock = new ReentrantLock();
+ uniqueKeyToLock.put(uniqueKey, storedLock);
+ }
+
+ return storedLock;
+ }
+ }
+
+ /**
* Returns a JNLP classloader for the specified JNLP file.
*
* @param file the file to load classes for
@@ -342,11 +369,8 @@
JNLPClassLoader loader = null;
String uniqueKey = file.getUniqueKey();
- if (uniqueKey != null)
- baseLoader = urlToLoader.get(uniqueKey);
-
- try {
-
+ synchronized ( getUniqueKeyLock(uniqueKey) ) {
+ baseLoader = uniqueKeyToLoader.get(uniqueKey);
// A null baseloader implies that no loader has been created
// for this codebase/jnlp yet. Create one.
@@ -358,7 +382,7 @@
// New loader init may have caused extentions to create a
// loader for this unique key. Check.
- JNLPClassLoader extLoader = urlToLoader.get(uniqueKey);
+ JNLPClassLoader extLoader = uniqueKeyToLoader.get(uniqueKey);
if (extLoader != null && extLoader != loader) {
if (loader.signing && !extLoader.signing)
@@ -387,16 +411,12 @@
loader = baseLoader;
}
- } catch (LaunchException e) {
- throw e;
- }
+ // loaders are mapped to a unique key. Only extensions and parent
+ // share a key, so it is safe to always share based on it
- // loaders are mapped to a unique key. Only extensions and parent
- // share a key, so it is safe to always share based on it
-
- loader.incrementLoaderUseCount();
- synchronized(urlToLoader) {
- urlToLoader.put(uniqueKey, loader);
+ loader.incrementLoaderUseCount();
+
+ uniqueKeyToLoader.put(uniqueKey, loader);
}
return loader;
@@ -413,12 +433,17 @@
*/
public static JNLPClassLoader getInstance(URL location, String uniqueKey, Version version, UpdatePolicy policy, String mainName)
throws IOException, ParseException, LaunchException {
- JNLPClassLoader loader = urlToLoader.get(uniqueKey);
- if (loader == null || !location.equals(loader.getJNLPFile().getFileLocation())) {
- JNLPFile jnlpFile = new JNLPFile(location, uniqueKey, version, false, policy);
+ JNLPClassLoader loader;
- loader = getInstance(jnlpFile, policy, mainName);
+ synchronized ( getUniqueKeyLock(uniqueKey) ) {
+ loader = uniqueKeyToLoader.get(uniqueKey);
+
+ if (loader == null || !location.equals(loader.getJNLPFile().getFileLocation())) {
+ JNLPFile jnlpFile = new JNLPFile(location, uniqueKey, version, false, policy);
+
+ loader = getInstance(jnlpFile, policy, mainName);
+ }
}
return loader;
@@ -612,7 +637,7 @@
//to read the cacerts or trusted.certs files.
e.printStackTrace();
throw new LaunchException(null, null, R("LSFatal"),
- R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo"));
+ R("LCInit"), R("LFatalVerification"), R("LFatalVerificationInfo") + ": " +e.getMessage());
}
//Case when at least one jar has some signing
@@ -2097,13 +2122,16 @@
*
* @throws SecurityException if caller is not trusted
*/
- private synchronized void incrementLoaderUseCount() {
-
+ private void incrementLoaderUseCount() {
+
// For use by trusted code only
if (System.getSecurityManager() != null)
System.getSecurityManager().checkPermission(new AllPermission());
-
- useCount++;
+
+ // NB: There will only ever be one class-loader per unique-key
+ synchronized ( getUniqueKeyLock(file.getUniqueKey()) ){
+ useCount++;
+ }
}
/**
@@ -2113,17 +2141,20 @@
*
* @throws SecurityException if caller is not trusted
*/
- public synchronized void decrementLoaderUseCount() {
+ public void decrementLoaderUseCount() {
// For use by trusted code only
if (System.getSecurityManager() != null)
System.getSecurityManager().checkPermission(new AllPermission());
- useCount--;
+ String uniqueKey = file.getUniqueKey();
- if (useCount <= 0) {
- synchronized(urlToLoader) {
- urlToLoader.remove(file.getUniqueKey());
+ // NB: There will only ever be one class-loader per unique-key
+ synchronized ( getUniqueKeyLock(uniqueKey) ) {
+ useCount--;
+
+ if (useCount <= 0) {
+ uniqueKeyToLoader.remove(uniqueKey);
}
}
}
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Apr 17 10:15:16 2013 +0200
@@ -87,7 +87,7 @@
* @version $Revision: 1.19 $
*/
public class JNLPRuntime {
-
+
static {
loadResources();
}
@@ -142,8 +142,16 @@
/** set to false to indicate another JVM should not be spawned, even if necessary */
private static boolean forksAllowed = true;
- /** all security dialogs will be consumed and pretented as beeing verified by user and allowed.*/
+ /** all security dialogs will be consumed and pretented as being verified by user and allowed.*/
private static boolean trustAll=false;
+ /**
+ * Header is not checked and so eg. gifar exploit is possible
+ * @see http://en.wikipedia.org/wiki/Gifar for this kind of attack.
+ * However if jar file is a bit corrupted, then it sometimes can work so
+ * this switch can disable the header check.
+ *
+ */
+ private static boolean ignoreHeaders=false;
/** contains the arguments passed to the jnlp runtime */
private static List<String> initialArguments;
@@ -775,4 +783,14 @@
return trustAll;
}
+ public static boolean isIgnoreHeaders() {
+ return ignoreHeaders;
+ }
+
+ public static void setIgnoreHeaders(boolean ignoreHeaders) {
+ JNLPRuntime.ignoreHeaders = ignoreHeaders;
+ }
+
+
+
}
diff -r 6883b7d0a2fc -r ded8ed9a9427 netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Wed Apr 10 15:37:00 2013 +0200
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java Wed Apr 17 10:15:16 2013 +0200
@@ -27,19 +27,35 @@
import static net.sourceforge.jnlp.runtime.Translator.R;
-import java.io.*;
-import java.util.*;
-import java.util.jar.*;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.CodeSigner;
+import java.security.KeyStore;
+import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
-import java.security.cert.CertPath;
-import java.security.*;
-import sun.security.x509.*;
-import sun.security.util.*;
More information about the distro-pkg-dev
mailing list