[fyi][icedtea-web] backend and itw-settings for extended applets security

Fri Mar 15 08:01:30 PDT 2013

On 03/12/2013 01:56 PM, Adam Domurad wrote:
> On 03/01/2013 12:10 PM, Adam Domurad wrote:
>> [ large snip ]
>>> New version attached.
>>> -Adam
>>
>> Woops. In the back&forth between 1.2 and HEAD I have forgot to add the normalization stuff.
>>
>> Rough location of the changes (sorry for the odd format, I just grepped them):
>>
>> + private static UnsignedAppletActionEntry getMatchingItem(UnsignedAppletActionStorage actionStorage, PluginBridge file) {
>> + return actionStorage.getMatchingItem(
>> + normalizeURLQuietly(file.getSourceLocation()).toString(),
>> + normalizeURLQuietly(file.getCodeBase()).toString(),
>> + file.getArchiveJars());
>> + }
>> +
>> + static private URL normalizeURLQuietly(URL url) {
>> + try {
>> + System.out.println("Normalizing " + url + " to " + ResourceTracker.normalizeUrl(url, false));
>> + return ResourceTracker.normalizeUrl(url, false);
>> + } catch (IOException e) {
>> + e.printStackTrace();
>> + } catch (URISyntaxException e) {
>> + e.printStackTrace();
>> + }
>> + return url;
>> + }
>> --
>> + }
>> +
>> + URL codebase = normalizeURLQuietly(file.getCodeBase());
>> + URL documentbase = normalizeURLQuietly(file.getSourceLocation());
>> +
>> + /* Else, create a new entry */
>> + UrlRegEx codebaseRegex = new UrlRegEx("\\Q" + codebase + "\\E");
>> + UrlRegEx documentbaseRegex = new UrlRegEx("\\Q" + documentbase + "\\E");
>> +
>> + UnsignedAppletActionEntry entry = new UnsignedAppletActionEntry(
>> + behaviour,
>>
>>
>> Happy hacking,
>> -Adam
>
> Ping?

Sorry for taking so long, but it was not working as expected.
Few issues remains:
1)The "wildcard do not work" issue as we have discussed - they do :) But i had (for some reason???) included archives comaprsion also for not stored archvies. So when there was wildchards an no archives, but the matching against fully qualified  applet then failed. Attached is patch with fix and test. [rfc]
2)parameters - as you are already aware, all parameters are stored to urls. As those can be some dinamical ID  or simialr, then I think we should strip them both from  bases and from jars. For jars the tshe strip is easy (all behind ? , including ?).For urls I'm not so sure. Maybe the best is to strip both saved and compared? or strip just form saved with  be "...\E.*" or "...?\E.*addition to such a base? [rfc]
3)archives saved with full url. On one side I'm not sure how wrong this is. On the second side  I would probably prefer  to have just plain archive names . This happens during all, except "plain archives tag". Good reproducer is jnlp href. I'm for simple "scratch everything before last slash" - before saving and comparing [rfc]

With fix on my previous work the whole concept looks to be working as expected. Maybe you can push, and fix following issues separately. Depends what do you prefer to fight with during  packporting to 1.3;)
Also the "ask once for matching appelts" looks like working,a nd I have seen both red and green text finally :)
I think that also the backport to 1.2 is affected by above issues, so I would hold it off.. or maybe do not do it at all. (and just live  with this  1.3 and head)

J.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: archivesPatch
Url: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130315/d772ba68/archivesPatch.ksh 