[rfc][icedtea-web] Strip parameters from document-base
Jiri Vanek
jvanek at redhat.com
Mon Apr 22 23:10:05 PDT 2013
On 04/22/2013 11:05 PM, Adam Domurad wrote:
> Ping.
>
> On 04/10/2013 03:02 PM, Adam Domurad wrote:
>> [ .. original message snipped ..]
>>
>> Sorry for the confusion. I spent a bit of time creating a reproducer and investigating why we were different from the proprietary plugin to begin with.
>>
>> I have finally found the real reason for the troubles & inconsistency here, the basic fix is:
>>
>>> diff --git a/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java b/plugin/i
>>> --- a/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>>> +++ b/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>>> @@ -439,8 +439,7 @@ public class PluginAppletViewer extends
>>> String height = msgParts[2];
>>>
>>> int spaceLocation = message.indexOf(' ', "tag".length() + 1);
>>> - String documentBase =
>>> - UrlUtil.decode(message.substring("tag".length() + 1, spaceLocat
>>> + String documentBase = message.substring("tag".length() + 1, spaceLocati
>>> String paramString = message.substring(spaceLocation + 1);
>>>
>>> PluginDebug.debug("Handle = ", handle, "\n",
>>
>>
>> And we're 100% compatible with proprietary plugin, and aren't storing invalid URLs. The only remaining fix-up was ...
>>
>>> diff --git a/netx/net/sourceforge/jnlp/cache/ResourceTracker.java b/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>>> --- a/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>>> +++ b/netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>>> @@ -390,7 +390,7 @@ public class ResourceTracker {
>>> return resource.localFile;
>>>
>>> if (location.getProtocol().equalsIgnoreCase("file")) {
>>> - File file = new File(location.getFile());
>>> + File file = new File(location.toURI().getPath());
>>> if (file.exists())
>>> return file;
>>> }
>>> @@ -401,6 +401,9 @@ public class ResourceTracker {
>>> ex.printStackTrace();
>>>
>>> return null; // need an error exception to throw
>>> + } catch (URISyntaxException e) {
>>> + e.printStackTrace();
>>> + return null;
>>> }
>>> }
>>
>> Which works around a bad mis-design of URL#getFile() which does not decode the URL. This only applies to local files. URL#getFile() should be avoided, I think.
>>
>> Fix ChangeLog:
>> 2013-XX-XX Adam Domurad <adomurad at redhat.com>
>>
>> Ensure document-base is properly encoded.
>> * netx/net/sourceforge/jnlp/cache/ResourceTracker.java
>> (getCacheFile): Use URL#toUri().getPath() instead of URL#getFile().
>> * plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
>> (handleInitializationMessage): Don't decode document-base.
>>
>> Reproducer ChangeLog:
>> 2013-XX-XX Adam Domurad <adomurad at redhat.com>
>>
>> Reproducer for URL parameters (eg ?a=b) in document-base.
>> * tests/reproducers/simple/URLParametersInDocumentBase/resources/URLParametersInDocumentBase.html:
>> Page that loads applet.
>> * tests/reproducers/simple/URLParametersInDocumentBase/srcs/URLParametersInDocumentBase.java:
>> Applet that prints code-base & document-base.
>> * tests/reproducers/simple/URLParametersInDocumentBase/testcases/URLParametersInDocumentBaseTests.java:
>> Test-driver.
>>
>> The UrlUtils patch is not strictly necessary any more, but I'd still like it in (it is unaffected by the changes). It can be just in HEAD though.
>>
>> Please note that I strongly want the fix in 1.3 since without it one cannot use Oracle LMS.
>>
>> Thanks,
>> -Adam
>
Acked. I have already acked ago, but it have to got lsot.
Thank you for ping!
More information about the distro-pkg-dev
mailing list