[fyi][icedtea-web] backend and itw-settings for extended applets security

Wed Mar 20 11:36:28 PDT 2013

On 03/15/2013 11:01 AM, Jiri Vanek wrote:
> On 03/12/2013 01:56 PM, Adam Domurad wrote:
>> On 03/01/2013 12:10 PM, Adam Domurad wrote:
>>> [ large snip ]
>>>> New version attached.
>>>> -Adam
>>>
>>> Woops. In the back&forth between 1.2 and HEAD I have forgot to add 
>>> the normalization stuff.
>>>
>>> Rough location of the changes (sorry for the odd format, I just 
>>> grepped them):
>>>
>>> + private static UnsignedAppletActionEntry 
>>> getMatchingItem(UnsignedAppletActionStorage actionStorage, 
>>> PluginBridge file) {
>>> + return actionStorage.getMatchingItem(
>>> + normalizeURLQuietly(file.getSourceLocation()).toString(),
>>> + normalizeURLQuietly(file.getCodeBase()).toString(),
>>> + file.getArchiveJars());
>>> + }
>>> +
>>> + static private URL normalizeURLQuietly(URL url) {
>>> + try {
>>> + System.out.println("Normalizing " + url + " to " + 
>>> ResourceTracker.normalizeUrl(url, false));
>>> + return ResourceTracker.normalizeUrl(url, false);
>>> + } catch (IOException e) {
>>> + e.printStackTrace();
>>> + } catch (URISyntaxException e) {
>>> + e.printStackTrace();
>>> + }
>>> + return url;
>>> + }
>>> -- 
>>> + }
>>> +
>>> + URL codebase = normalizeURLQuietly(file.getCodeBase());
>>> + URL documentbase = normalizeURLQuietly(file.getSourceLocation());
>>> +
>>> + /* Else, create a new entry */
>>> + UrlRegEx codebaseRegex = new UrlRegEx("\\Q" + codebase + "\\E");
>>> + UrlRegEx documentbaseRegex = new UrlRegEx("\\Q" + documentbase + 
>>> "\\E");
>>> +
>>> + UnsignedAppletActionEntry entry = new UnsignedAppletActionEntry(
>>> + behaviour,
>>>
>>>
>>> Happy hacking,
>>> -Adam
>>
>> Ping?
>
> Sorry for taking so long, but it was not working as expected.
> Few issues remains:
> 1)The "wildcard do not work" issue as we have discussed - they do :) 
> But i had (for some reason???) included archives comaprsion also for 
> not stored archvies. So when there was wildchards an no archives, but 
> the matching against fully qualified  applet then failed. Attached is 
> patch with fix and test. [rfc]

Looks OK to me.

> 2)parameters - as you are already aware, all parameters are stored to 
> urls. As those can be some dinamical ID  or simialr, then I think we 
> should strip them both from  bases and from jars. For jars the tshe 
> strip is easy (all behind ? , including ?).For urls I'm not so sure. 
> Maybe the best is to strip both saved and compared? or strip just form 
> saved with  be "...\E.*" or "...?\E.*addition to such a base? [rfc]

Hmm. OK, sounds good (stripping both).

>
> 3)archives saved with full url. On one side I'm not sure how wrong 
> this is. On the second side  I would probably prefer  to have just 
> plain archive names . This happens during all, except "plain archives 
> tag". Good reproducer is jnlp href. I'm for simple "scratch everything 
> before last slash" - before saving and comparing [rfc]

'Scratch everything before last slash' was not sufficient, but OK used 
URI#relativize

>
>
> With fix on my previous work the whole concept looks to be working as 
> expected. Maybe you can push, and fix following issues separately. 
> Depends what do you prefer to fight with during packporting to 1.3;)
> Also the "ask once for matching appelts" looks like working,a nd I 
> have seen both red and green text finally :)
> I think that also the backport to 1.2 is affected by above issues, so 
> I would hold it off.. or maybe do not do it at all. (and just live  
> with this  1.3 and head)

It's easy to fix. I'll do it once we get this in.

>
>
> J.
>

New version posted. Changes in UnsignedAppletTrustConfirmation.java, see 
extractRelativeArchives & normalizeUrlAndStripParams. I also added some 
extra debug logging.
-Adam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: integrated-dialogue4.patch
Type: text/x-patch
Size: 33652 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130320/bd723018/integrated-dialogue4.patch 