[rfc][icedtea-web] Strip parameters from document-base

Adam Domurad adomurad at redhat.com
Mon Apr 22 14:05:28 PDT 2013 

Ping.

On 04/10/2013 03:02 PM, Adam Domurad wrote:
> [ .. original message snipped ..]
>
> Sorry for the confusion. I spent a bit of time creating a reproducer 
> and investigating why we were different from the proprietary plugin to 
> begin with.
>
> I have finally found the real reason for the troubles & inconsistency 
> here, the basic fix is:
>
>> diff --git a/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java 
>> b/plugin/i
>> --- a/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>> +++ b/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>> @@ -439,8 +439,7 @@ public class PluginAppletViewer extends
>>          String height = msgParts[2];
>>
>>          int spaceLocation = message.indexOf(' ', "tag".length() + 1);
>> -        String documentBase =
>> -                UrlUtil.decode(message.substring("tag".length() + 1, 
>> spaceLocat
>> +        String documentBase = message.substring("tag".length() + 1, 
>> spaceLocati
>>          String paramString = message.substring(spaceLocation + 1);
>>
>>          PluginDebug.debug("Handle = ", handle, "\n",
>
>
> And we're 100% compatible with proprietary plugin, and aren't storing 
> invalid URLs. The only remaining fix-up was ...
>
>> diff --git a/netx/net/sourceforge/jnlp/cache/ResourceTracker.java 
>> b/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>> --- a/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>> +++ b/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>> @@ -390,7 +390,7 @@ public class ResourceTracker {
>>                  return resource.localFile;
>>
>>              if (location.getProtocol().equalsIgnoreCase("file")) {
>> -                File file = new File(location.getFile());
>> +                File file = new File(location.toURI().getPath());
>>                  if (file.exists())
>>                      return file;
>>              }
>> @@ -401,6 +401,9 @@ public class ResourceTracker {
>>                  ex.printStackTrace();
>>
>>              return null; // need an error exception to throw
>> +        } catch (URISyntaxException e) {
>> +            e.printStackTrace();
>> +            return null;
>>          }
>>      }
>
> Which works around a bad mis-design of URL#getFile() which does not 
> decode the URL. This only applies to local files. URL#getFile() should 
> be avoided, I think.
>
> Fix ChangeLog:
> 2013-XX-XX  Adam Domurad  <adomurad at redhat.com>
>
>     Ensure document-base is properly encoded.
>     * netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>     (getCacheFile): Use URL#toUri().getPath() instead of URL#getFile().
>     * plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>     (handleInitializationMessage): Don't decode document-base.
>
> Reproducer ChangeLog:
> 2013-XX-XX  Adam Domurad  <adomurad at redhat.com>
>
>     Reproducer for URL parameters (eg ?a=b) in document-base.
>     * 
> tests/reproducers/simple/URLParametersInDocumentBase/resources/URLParametersInDocumentBase.html:
>     Page that loads applet.
>     * 
> tests/reproducers/simple/URLParametersInDocumentBase/srcs/URLParametersInDocumentBase.java:
>     Applet that prints code-base & document-base.
>     * 
> tests/reproducers/simple/URLParametersInDocumentBase/testcases/URLParametersInDocumentBaseTests.java:
>     Test-driver.
>
> The UrlUtils patch is not strictly necessary any more, but I'd still 
> like it in (it is unaffected by the changes). It can be just in HEAD 
> though.
>
> Please note that I strongly want the fix in 1.3 since without it one 
> cannot use Oracle LMS.
>
> Thanks,
> -Adam

More information about the distro-pkg-dev mailing list