/hg/icedtea-web: Fix PR1465 - java.io.FileNotFoundException whil...
adomurad at icedtea.classpath.org
adomurad at icedtea.classpath.org
Wed Jun 5 12:10:27 PDT 2013
changeset 83e496086fea in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=83e496086fea
author: Adam Domurad <adomurad at redhat.com>
date: Wed Jun 05 15:12:01 2013 -0400
Fix PR1465 - java.io.FileNotFoundException while trying to download a JAR file
diffstat:
ChangeLog | 13 +++++
NEWS | 2 +
netx/net/sourceforge/jnlp/util/UrlUtils.java | 15 +++++-
tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java | 4 +-
tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java | 26 +++++++++-
5 files changed, 56 insertions(+), 4 deletions(-)
diffs (139 lines):
diff -r f22262521491 -r 83e496086fea ChangeLog
--- a/ChangeLog Tue Jun 04 17:35:53 2013 +0200
+++ b/ChangeLog Wed Jun 05 15:12:01 2013 -0400
@@ -1,3 +1,16 @@
+2013-06-05 Adam Domurad <adomurad at redhat.com>
+
+ Fix PR1465
+ * NEWS: Bug fix note
+ * netx/net/sourceforge/jnlp/util/UrlUtils.java
+ (isValidRFC2396Url): New, tests if valid URL by RFC2396 rules
+ (normalizeUrl): Don't normalize if valid by RFC2396
+ * tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java:
+ Adapt which URLs we expect to change when normalizing URLs
+ * tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java:
+ (testIsValidRFC2396Url): New, tests isValidRFC2396Url
+ (testNormalizeUrl): Add new test with valid RFC2396 URL
+
2013-06-04 Jiri Vanek <jvanek at redhat.com>
* netx/net/sourceforge/jnlp/resources/Messages.properties:
diff -r f22262521491 -r 83e496086fea NEWS
--- a/NEWS Tue Jun 04 17:35:53 2013 +0200
+++ b/NEWS Wed Jun 05 15:12:01 2013 -0400
@@ -9,6 +9,8 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release 1.5 (2013-XX-XX):
+* NetX
+ - PR1465 - java.io.FileNotFoundException while trying to download a JAR file
* Plugin
- PR854: Resizing an applet several times causes 100% CPU load
diff -r f22262521491 -r 83e496086fea netx/net/sourceforge/jnlp/util/UrlUtils.java
--- a/netx/net/sourceforge/jnlp/util/UrlUtils.java Tue Jun 04 17:35:53 2013 +0200
+++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Wed Jun 05 15:12:01 2013 -0400
@@ -86,16 +86,29 @@
}
}
+ /* Use the URI syntax check of 'toURI' to see if it matches RFC2396.
+ * See http://www.ietf.org/rfc/rfc2396.txt */
+ public static boolean isValidRFC2396Url(URL url) {
+ try {
+ url.toURI();
+ return true;
+ } catch (URISyntaxException e) {
+ return false;
+ }
+ }
+
/* Ensure a URL is properly percent-encoded.
* Certain usages require local-file URLs to be encoded, eg for code-base & document-base. */
public static URL normalizeUrl(URL url, boolean encodeFileUrls) throws MalformedURLException, UnsupportedEncodingException, URISyntaxException {
if (url == null) {
return null;
}
+
String protocol = url.getProtocol();
boolean shouldEncode = (encodeFileUrls || !"file".equals(protocol));
- if (protocol == null || !shouldEncode || url.getPath() == null) {
+ // PR1465: We should not call 'URLDecoder.decode' on RFC2396-compliant URLs
+ if (protocol == null || !shouldEncode || url.getPath() == null || isValidRFC2396Url(url)) {
return url;
}
diff -r f22262521491 -r 83e496086fea tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java Tue Jun 04 17:35:53 2013 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java Wed Jun 05 15:12:01 2013 -0400
@@ -80,7 +80,7 @@
Assert.assertFalse("url " + i + " must be normalized (and so not equals) too normalized url " + i, u[i].equals(n[i]));
}
}
- public static final int CHANGE_BORDER = 6;
+ public static final int CHANGE_BORDER = 8;
public static URL[] getUrls() throws MalformedURLException {
URL[] u = {
@@ -91,9 +91,9 @@
new URL("http:///SpacesCanBeEverywhere1.jnlp"),
new URL("file://localhost/home/jvanek/Desktop/icedtea-web/tests.build/jnlp_test_server/Spaces can be everywhere2.jnlp"),
new URL("http://localhost:44321/testpage.jnlp?applicationID=25"),
- /*changing*/
new URL("http://localhost:44321/Spaces%20Can%20Be%20Everyw%2Fhere1.jnlp"),
new URL("http://localhost/Spaces+Can+Be+Everywhere1.jnlp"),
+ /*changing*/
new URL("http://localhost/SpacesC anBeEverywhere1.jnlp?a=5&b=10#df"),
new URL("http:///oook.jnlp?a=5&b=ahoj Å¡Å¡ dd#df"),
new URL("http://localhost/SpacesěĚžšřýžÄřú can !@^*(){}[].jnlp?a=5&ahoj Å¡Å¡ dd#df"),
diff -r f22262521491 -r 83e496086fea tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java
--- a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Tue Jun 04 17:35:53 2013 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Wed Jun 05 15:12:01 2013 -0400
@@ -39,8 +39,11 @@
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import java.io.File;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import org.junit.Test;
@@ -95,6 +98,27 @@
// Test file URL with file URL encoding turned on
assertEquals("file://example/%20test",
UrlUtils.normalizeUrl(new URL("file://example/ test"), true).toString());
+
+ // PR1465: Test that RFC2396-compliant URLs are not touched
+ // Example taken from bug report: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1465
+ String rfc2396Valid = "https://example.com/,DSID=64c19c5b657df383835706571a7c7216,DanaInfo=example.com,CT=java+JICAComponents/JICA-sicaN.jar";
+ assertEquals(rfc2396Valid,
+ UrlUtils.normalizeUrl(new URL(rfc2396Valid)).toString());
+ }
+
+ @Test
+ public void testIsValidRFC2396Url() throws Exception {
+ String rfc2396Valid = "https://example.com/,foo=bar+baz/JICA-sicaN.jar";
+ assertTrue(UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid)));
+
+ // These should invalidate the URL
+ // See http://www.ietf.org/rfc/rfc2396.txt (2.4.3. Excluded US-ASCII Characters)
+ char[] invalidCharacters = {'<', '>', '%', '"', };
+ for (char chr : invalidCharacters) {
+ assertFalse("validation failed with '" + chr + "'",UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid + chr)));
+ }
+ //special test for space inisde. Space at the end can be trimmed
+ assertFalse("validation failed with '" + ' ' + "'",UrlUtils.isValidRFC2396Url(new URL("https://example.com/,foo=bar+ba z/JICA-sicaN.jar")));
}
@Test
@@ -116,4 +140,4 @@
assertEquals(testFile, UrlUtils.decodeUrlAsFile(encodedUrl));
}
}
-}
\ No newline at end of file
+}
More information about the distro-pkg-dev
mailing list