[rfc][icedtea-web] RH982558 - proxy PAC support does not work
Omair Majid
omajid at redhat.com
Fri Jul 19 13:05:01 PDT 2013
On 07/19/2013 03:55 PM, Andrew Azores wrote:
> Changelog:
> * netx/net/sourceforge/jnlp/runtime/RhinoBasedPacEvaluator.java
> (getProxiesWithoutCaching): added read property permission for java.vm.name
>
> Proxy PAC wasn't working in Fedora 19 because Rhino initialization was
> being stopped due to missing read permission on java.vm.name property.
> Since Rhino couldn't start, the PAC file wasn't parsed, and the proxy
> setting fell back to direct connect.
Thanks for looking into this.
Read permissions for accessing this property is actually listed in
$JAVA_HOME/jre/lib/security/policy.java, but it's just that we have
always ignored that file. Looks like old(er) versions of rhino didn't
actually use the property.
> Permissions p = new Permissions();
Please add a comment here (probably just before we allocate the
permissions object) that explains that we do not parse java.policy
intentionally since we really do not want this remote code to do much of
anything, other than evaluate a value.
> p.add(new RuntimePermission("accessClassInPackage.org.mozilla.javascript"));
> p.add(new SocketPermission("*", "resolve"));
> + p.add(new PropertyPermission("java.vm.name", "read"));
> ProtectionDomain pd = new ProtectionDomain(null, p);
> AccessControlContext context = new AccessControlContext(new ProtectionDomain[] { pd });
Feel free to push with the addition of a comment.
Cheers,
Omair
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list