/hg/icedtea-web: PR1769, support signed applets which specify Sa...
aazores at icedtea.classpath.org
aazores at icedtea.classpath.org
Fri Aug 1 15:29:48 UTC 2014
changeset d1584d50c1e9 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=d1584d50c1e9
author: Andrew Azores <aazores at redhat.com>
date: Fri Aug 01 11:29:26 2014 -0400
PR1769, support signed applets which specify Sandbox permission in manifest
2014-08-01 Andrew Azores <aazores at redhat.com>
Fixed support for signed applets which specify the Permissions attribute
as "sandbox" in their manifests. These applets are now properly run
sandboxed automatically, rather than requiring the user to click the
"Sandbox" run button.
* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
(JNLPClassLoader): manifest attributes checking and security settings
moved inside initializeResources
(initializePermissions): renamed (initializeReadJarPermissions). Redundant
null-check removed
(initializeResources): do not set entries in jarLocationSecurityMap until
after prompting the user on whether to run the applet as well as
performing manifest attribute checks. A new Collection (validJars) is used
to hold available and valid JARs between discovering the JARs and applying
any security settings to the them
(initializeManifestAttributesChecker): new method
(getJnlpFileCodebase): new method, extracted from initializeResources
(SecurityDelegateImpl.setRunInSandbox): throw exception if already forced
to run in sandbox, rather than if already prompted
* netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
(isLowSecurity): new method
(checkAll): Extended Applet Security on Low disables all manifest checks
except for Permissions
(checkPermissionsAttribute): do not skip checking if Extended Applet
Security is Low. Remove try/catch on setRunInSandbox call as this is now
supported.
(checkApplicationLibraryAllowableCodebaseAttribute): do not display dialog
prompts on low security, allow the applet to run without prompt
* tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java
(newSecurityAttributesTest): set JAR manifest to have Permissions:
all-permissions, since this is a JNLP and JAR is signed and so 'sandbox'
is not actually allowed
* tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFile.java:
properly initialize 'security' field rather than overriding getSecurity
* tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFileWithJar.java:
same
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.html:
new tests
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSignedJNLPhref.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsignedJNLPhref.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSignedJNLPhref.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsignedJNLPhref.html
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionSigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionUnsigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxSigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxUnsigned.jnlp
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.1
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.2
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/Makefile
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxSigned.java
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.java
* tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/testcases/PartiallySignedAppletManifestSpecifiesSandboxTests.java
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandbox.html
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplet.jnlp
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplication.jnlp
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxJnlpHref.html
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/META-INF/MANIFEST.MF
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/SignedAppletManifestSpecifiesSandbox.java
* tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/testcases/SignedAppletManifestSpecifiesSandboxTests.java
diffstat:
ChangeLog | 68 ++
NEWS | 2 +
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 77 ++-
netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java | 52 +-
tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java | 15 +-
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.html | 48 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSignedJNLPhref.html | 46 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.html | 48 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsignedJNLPhref.html | 46 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.html | 48 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSignedJNLPhref.html | 46 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.html | 48 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsignedJNLPhref.html | 46 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionSigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionUnsigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxSigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxUnsigned.jnlp | 56 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.1 | 2 +
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.2 | 2 +
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/Makefile | 38 +
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxSigned.java | 68 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.java | 68 ++
tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/testcases/PartiallySignedAppletManifestSpecifiesSandboxTests.java | 229 ++++++++++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandbox.html | 48 ++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplet.jnlp | 59 ++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplication.jnlp | 59 ++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxJnlpHref.html | 49 ++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/META-INF/MANIFEST.MF | 3 +
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/SignedAppletManifestSpecifiesSandbox.java | 62 ++
tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/testcases/SignedAppletManifestSpecifiesSandboxTests.java | 118 +++++
tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFile.java | 8 +-
tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFileWithJar.java | 6 +-
36 files changed, 1791 insertions(+), 66 deletions(-)
diffs (truncated from 2219 to 500 lines):
diff -r 68494e57c151 -r d1584d50c1e9 ChangeLog
--- a/ChangeLog Fri Aug 01 11:25:28 2014 +0200
+++ b/ChangeLog Fri Aug 01 11:29:26 2014 -0400
@@ -1,3 +1,71 @@
+2014-08-01 Andrew Azores <aazores at redhat.com>
+
+ Fixed support for signed applets which specify the Permissions attribute
+ as "sandbox" in their manifests. These applets are now properly run
+ sandboxed automatically, rather than requiring the user to click the
+ "Sandbox" run button.
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+ (JNLPClassLoader): manifest attributes checking and security settings
+ moved inside initializeResources
+ (initializePermissions): renamed (initializeReadJarPermissions). Redundant
+ null-check removed
+ (initializeResources): do not set entries in jarLocationSecurityMap until
+ after prompting the user on whether to run the applet as well as
+ performing manifest attribute checks. A new Collection (validJars) is used
+ to hold available and valid JARs between discovering the JARs and applying
+ any security settings to the them
+ (initializeManifestAttributesChecker): new method
+ (getJnlpFileCodebase): new method, extracted from initializeResources
+ (SecurityDelegateImpl.setRunInSandbox): throw exception if already forced
+ to run in sandbox, rather than if already prompted
+ * netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
+ (isLowSecurity): new method
+ (checkAll): Extended Applet Security on Low disables all manifest checks
+ except for Permissions
+ (checkPermissionsAttribute): do not skip checking if Extended Applet
+ Security is Low. Remove try/catch on setRunInSandbox call as this is now
+ supported.
+ (checkApplicationLibraryAllowableCodebaseAttribute): do not display dialog
+ prompts on low security, allow the applet to run without prompt
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java
+ (newSecurityAttributesTest): set JAR manifest to have Permissions:
+ all-permissions, since this is a JNLP and JAR is signed and so 'sandbox'
+ is not actually allowed
+ * tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFile.java:
+ properly initialize 'security' field rather than overriding getSecurity
+ * tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFileWithJar.java:
+ same
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.html:
+ new tests
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSignedJNLPhref.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionUnsignedJNLPhref.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxSignedJNLPhref.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesSandboxUnsignedJNLPhref.html
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionSigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesAllPermissionUnsigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxSigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedApplicationManifestSpecifiesSandboxUnsigned.jnlp
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.1
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF.2
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/Makefile
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxSigned.java
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/srcs/PartiallySignedAppletManifestSpecifiesSandboxUnsigned.java
+ * tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/testcases/PartiallySignedAppletManifestSpecifiesSandboxTests.java
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandbox.html
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplet.jnlp
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxApplication.jnlp
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandboxJnlpHref.html
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/META-INF/MANIFEST.MF
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/srcs/SignedAppletManifestSpecifiesSandbox.java
+ * tests/reproducers/signed/SignedAppletManifestSpecifiesSandbox/testcases/SignedAppletManifestSpecifiesSandboxTests.java
+
2014-08-01 Jiri Vanek <jvanek at redhat.com>
* plugin/icedteanp/java/sun/applet/PluginAppletViewer.java: casts to
diff -r 68494e57c151 -r d1584d50c1e9 NEWS
--- a/NEWS Fri Aug 01 11:25:28 2014 +0200
+++ b/NEWS Fri Aug 01 11:29:26 2014 -0400
@@ -35,6 +35,8 @@
exiting without saving changes
- Keyboard accelerators and mnemonics greatly improved
- "File - New" allows editing a new policy without first selecting the file to save to
+* Common
+ - PR1769: support signed applets which specify Sandbox permissions in their manifests
* Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions
New in release 1.5 (2014-XX-XX):
diff -r 68494e57c151 -r d1584d50c1e9 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Aug 01 11:25:28 2014 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Aug 01 11:29:26 2014 -0400
@@ -223,6 +223,8 @@
private final SecurityDelegate securityDelegate;
+ private ManifestAttributesChecker mac;
+
/**
* Create a new JNLPClassLoader from the specified file.
*
@@ -275,18 +277,10 @@
initializeExtensions();
initializeResources();
-
- //loading mainfests before resources are initialised may cause waiting for resources
- file.getManifestsAttributes().setLoader(this);
// initialize permissions
- initializePermissions();
-
- setSecurity();
-
- ManifestAttributesChecker mac = new ManifestAttributesChecker(security, file, signing, securityDelegate);
- mac.checkAll();
-
+ initializeReadJarPermissions();
+
installShutdownHooks();
@@ -506,7 +500,7 @@
/**
* Make permission objects for the classpath.
*/
- void initializePermissions() {
+ void initializeReadJarPermissions() {
resourcePermissions = new ArrayList<Permission>();
JARDesc jars[] = resources.getJARs();
@@ -516,10 +510,9 @@
if (p == null) {
OutputController.getLogger().log("Unable to add permission for " + jar.getLocation());
} else {
+ resourcePermissions.add(p);
OutputController.getLogger().log("Permission added: " + p.toString());
}
- if (p != null)
- resourcePermissions.add(p);
}
}
@@ -592,6 +585,9 @@
//Check if main jar is found within extensions
foundMainJar = foundMainJar || hasMainInExtensions();
+ setSecurity();
+ initializeManifestAttributesChecker();
+ mac.checkAll();
return;
}
@@ -706,7 +702,9 @@
signing = SigningState.NONE;
}
}
-
+ setSecurity();
+
+ final Set<JARDesc> validJars = new HashSet<>();
boolean containsSignedJar = false, containsUnsignedJar = false;
for (JARDesc jarDesc : file.getResources().getJARs()) {
File cachedFile;
@@ -724,14 +722,8 @@
continue; // JAR not found. Keep going.
}
- final URL codebase;
- if (file.getCodeBase() != null) {
- codebase = file.getCodeBase();
- } else {
- // FIXME: codebase should be the codebase of the Main Jar not
- // the location. Although, it still works in the current state.
- codebase = file.getResources().getMainJAR().getLocation();
- }
+ validJars.add(jarDesc);
+ final URL codebase = getJnlpFileCodebase();
final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase.getHost());
if (jarSecurity.getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS)) {
@@ -740,15 +732,45 @@
containsSignedJar = true;
}
- jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
+ if (containsUnsignedJar && containsSignedJar) {
+ break;
+ }
}
if (containsSignedJar && containsUnsignedJar) {
checkPartialSigningWithUser();
}
+ initializeManifestAttributesChecker();
+ mac.checkAll();
+
+ for (JARDesc jarDesc : validJars) {
+ final URL codebase = getJnlpFileCodebase();
+ final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase.getHost());
+ jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
+ }
+
activateJars(initialJars);
}
+
+ private void initializeManifestAttributesChecker() throws LaunchException {
+ if (mac == null) {
+ file.getManifestsAttributes().setLoader(this);
+ mac = new ManifestAttributesChecker(security, file, signing, securityDelegate);
+ }
+ }
+
+ private URL getJnlpFileCodebase() {
+ final URL codebase;
+ if (file.getCodeBase() != null) {
+ codebase = file.getCodeBase();
+ } else {
+ // FIXME: codebase should be the codebase of the Main Jar not
+ // the location. Although, it still works in the current state.
+ codebase = file.getResources().getMainJAR().getLocation();
+ }
+ return codebase;
+ }
/***
* Checks for the jar that contains the attribute.
@@ -757,13 +779,12 @@
* @param name attribute to be found
*/
public String checkForAttributeInJars(List<JARDesc> jars, Attributes.Name name) {
-
if (jars.isEmpty()) {
return null;
}
String result = null;
-
+
// Check main jar
JARDesc mainJarDesc = ResourcesDesc.getMainJAR(jars);
result = getManifestAttribute(mainJarDesc.getLocation(), name);
@@ -771,7 +792,7 @@
if (result != null) {
return result;
}
-
+
// Check first jar
JARDesc firstJarDesc = jars.get(0);
result = getManifestAttribute(firstJarDesc.getLocation(),name);
@@ -2375,8 +2396,8 @@
}
public void setRunInSandbox() throws LaunchException {
- if (promptedForSandbox || classLoader.security != null
- || classLoader.jarLocationSecurityMap.size() != 0) {
+ if (runInSandbox && classLoader.security != null
+ && classLoader.jarLocationSecurityMap.size() != 0) {
throw new LaunchException(classLoader.file, null, R("LSFatal"), R("LCInit"), R("LRunInSandboxError"), R("LRunInSandboxErrorInfo"));
}
diff -r 68494e57c151 -r d1584d50c1e9 netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
--- a/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Fri Aug 01 11:25:28 2014 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Fri Aug 01 11:29:26 2014 -0400
@@ -75,19 +75,21 @@
}
void checkAll() throws LaunchException {
+ checkPermissionsAttribute();
if (isCheckEnabled()) {
checkTrustedOnlyAttribute();
checkCodebaseAttribute();
checkPermissionsAttribute();
checkApplicationLibraryAllowableCodebaseAttribute();
} else {
- OutputController.getLogger().log("Checking for attributes in manifest is disabled.");
+ OutputController.getLogger().log(OutputController.Level.WARNING_ALL, "Manifest attribute checks are disabled."
+ + " The Permissions attribute will be enforced but other manifest attributes will be ignored.");
}
}
public static boolean isCheckEnabled() {
- String value = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
- return Boolean.parseBoolean(value);
+ final String deploymentProperty = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
+ return Boolean.parseBoolean(deploymentProperty);
}
/**
@@ -178,15 +180,19 @@
* http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions
*/
private void checkPermissionsAttribute() throws LaunchException {
- final ManifestBoolean sandboxForced = file.getManifestsAttributes().isSandboxForced();
- final AppletSecurityLevel itwSecurityLevel = AppletStartupSecuritySettings.getInstance().getSecurityLevel();
- if (itwSecurityLevel == AppletSecurityLevel.ALLOW_UNSIGNED || securityDelegate.getRunInSandbox()) {
- OutputController.getLogger().log(OutputController.Level.WARNING_ALL, "Although 'permissions' attribute of this application is '" + file.getManifestsAttributes().permissionsToString()
- + "' Your Extended applets security is at 'low', or you have specifically chosen to run the applet Sandboxed. Continuing");
+ if (securityDelegate.getRunInSandbox()) {
+ OutputController.getLogger().log(OutputController.Level.WARNING_ALL, "The 'Permissions' attribute of this application is '" + file.getManifestsAttributes().permissionsToString()
+ + "'. You have chosen the Sandbox run option, which overrides the Permissions manifest attribute, or the applet has already been automatically sandboxed.");
return;
}
+ final ManifestBoolean sandboxForced = file.getManifestsAttributes().isSandboxForced();
+ // If the attribute is not specified in the manifest, prompt the user. Oracle's spec says that the
+ // attribute is required, but this breaks a lot of existing applets. Therefore, when on the highest
+ // security level, we refuse to run these applets. On the standard security level, we ask. And on the
+ // lowest security level, we simply proceed without asking.
if (sandboxForced == ManifestBoolean.UNDEFINED) {
+ final AppletSecurityLevel itwSecurityLevel = AppletStartupSecuritySettings.getInstance().getSecurityLevel();
if (itwSecurityLevel == AppletSecurityLevel.DENY_UNSIGNED) {
throw new LaunchException("Your Extended applets security is at 'Very high', and this application is missing the 'permissions' attribute in manifest. This is fatal");
}
@@ -196,9 +202,9 @@
throw new LaunchException("Your Extended applets security is at 'high' and this application is missing the 'permissions' attribute in manifest. And you have refused to run it.");
} else {
OutputController.getLogger().log("Your Extended applets security is at 'high' and this application is missing the 'permissions' attribute in manifest. And you have allowed to run it.");
- return;
}
}
+ return;
}
final RequestedPermissionLevel requestedPermissions = file.getRequestedPermissionLevel();
@@ -206,15 +212,7 @@
if (file instanceof PluginBridge) { // HTML applet
if (isNoneOrDefault(requestedPermissions)) {
if (sandboxForced == ManifestBoolean.TRUE && signing != SigningState.NONE) {
- // http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions
- // FIXME: attempting to follow the spec, but it is too late now to actually set the applet
- // to run in sandbox. If we do this the applet will not be run at all, rather than run sandboxed!
- try {
- securityDelegate.setRunInSandbox();
- } catch (final LaunchException e) {
- OutputController.getLogger().log(e);
- throw new LaunchException("The applet is signed but its manifest specifies Sandbox permissions. This is not yet supported. Try running the applet again, but choose the Sandbox run option.", e);
- }
+ securityDelegate.setRunInSandbox();
}
}
} else { // JNLP
@@ -229,6 +227,10 @@
}
}
+ private static boolean isLowSecurity() {
+ return AppletStartupSecuritySettings.getInstance().getSecurityLevel().equals(AppletSecurityLevel.ALLOW_UNSIGNED);
+ }
+
private static boolean isNoneOrDefault(final RequestedPermissionLevel requested) {
return requested == RequestedPermissionLevel.NONE || requested == RequestedPermissionLevel.DEFAULT;
}
@@ -306,14 +308,14 @@
return;
}
}
+
ClasspathMatchers att = file.getManifestsAttributes().getApplicationLibraryAllowableCodebase();
-
if (att == null) {
- boolean a = SecurityDialogs.showMissingALACAttributePanel(file.getTitle(), documentBase, usedUrls);
- if (!a) {
+ final boolean userApproved = isLowSecurity() || SecurityDialogs.showMissingALACAttributePanel(file.getTitle(), documentBase, usedUrls);
+ if (!userApproved) {
throw new LaunchException("The application uses non-codebase resources, has no Application-Library-Allowable-Codebase Attribute, and was blocked from running by the user");
} else {
- OutputController.getLogger().log("The application uses non-codebase resources, has no Application-Library-Allowable-Codebase Attribute, and was allowed to run by the user");
+ OutputController.getLogger().log("The application uses non-codebase resources, has no Application-Library-Allowable-Codebase Attribute, and was allowed to run by the user or user's security settings");
return;
}
} else {
@@ -325,11 +327,11 @@
}
}
}
- boolean a = SecurityDialogs.showMatchingALACAttributePanel(file, documentBase, usedUrls);
- if (!a) {
+ final boolean userApproved = isLowSecurity() || SecurityDialogs.showMatchingALACAttributePanel(file, documentBase, usedUrls);
+ if (!userApproved) {
throw new LaunchException("The application uses non-codebase resources, which do match its Application-Library-Allowable-Codebase Attribute, but was blocked from running by the user.");
} else {
- OutputController.getLogger().log("The application uses non-codebase resources, which do match its Application-Library-Allowable-Codebase Attribute, and was allowed to run by the user.");
+ OutputController.getLogger().log("The application uses non-codebase resources, which do match its Application-Library-Allowable-Codebase Attribute, and was allowed to run by the user or user's security settings.");
}
}
}
diff -r 68494e57c151 -r d1584d50c1e9 tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java Fri Aug 01 11:25:28 2014 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPFileTest.java Fri Aug 01 11:29:26 2014 -0400
@@ -129,7 +129,14 @@
/*
* "sandbox" or "all-permissions"
*/
- manifest6.getMainAttributes().put(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS), "sandbox");
+ /* TODO: Commented lines with "sandbox" permissions specified are causing failures after
+ * PR1769 ("Permissions: sandbox" manifest attribute) patch is applied. The problem
+ * appears to be that the JarCertVerifier thinks that DummyJNLPFileWithJars are
+ * signed (jcv.isFullySigned() falls into the isTriviallySigned() case) even though
+ * they are completely unsigned. This *may* be only be an issue with DummyJNLPFiles.
+ */
+ // manifest6.getMainAttributes().put(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS), "sandbox"); /* commented due to DummyJNLP being "signed" */
+ manifest6.getMainAttributes().put(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS), "all-permissions");
manifest6.getMainAttributes().put(new Attributes.Name(JNLPFile.ManifestsAttributes.TRUSTED_LIBRARY), "false");
manifest6.getMainAttributes().put(new Attributes.Name(JNLPFile.ManifestsAttributes.TRUSTED_ONLY), "false");
@@ -180,7 +187,8 @@
Assert.assertEquals("*.com https://*.cz", jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.APP_LIBRARY_ALLOWABLE)));
Assert.assertEquals("*.net ftp://*uu.co.uk", jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.CALLER_ALLOWABLE)));
Assert.assertEquals("*.com *.net *.cz *.co.uk", jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.CODEBASE)));
- Assert.assertEquals(SecurityDesc.RequestedPermissionLevel.SANDBOX.toHtmlString(), jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS)));
+ // Assert.assertEquals(SecurityDesc.RequestedPermissionLevel.SANDBOX.toHtmlString(), jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS))); /* commented due to DummyJNLP being "signed" */
+ Assert.assertEquals(SecurityDesc.RequestedPermissionLevel.ALL.toHtmlString(), jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.PERMISSIONS)));
Assert.assertEquals("false", jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.TRUSTED_LIBRARY)));
Assert.assertEquals("false", jnlpFile.getManifestsAttributes().getAttribute(new Attributes.Name(JNLPFile.ManifestsAttributes.TRUSTED_ONLY)));
@@ -206,7 +214,8 @@
Assert.assertEquals(true, jnlpFile.getManifestsAttributes().getCodebase().matches(new URL("ftp://aa.bb.net")));
Assert.assertEquals(true, jnlpFile.getManifestsAttributes().getCodebase().matches(new URL("https://x.net")));
Assert.assertEquals(false, jnlpFile.getManifestsAttributes().getCodebase().matches(new URL("http://aa.bb/com")));
- Assert.assertEquals(JNLPFile.ManifestBoolean.TRUE, jnlpFile.getManifestsAttributes().isSandboxForced());
+ // Assert.assertEquals(JNLPFile.ManifestBoolean.TRUE, jnlpFile.getManifestsAttributes().isSandboxForced()); /* commented due to DummyJNLP being "signed" */
+ Assert.assertEquals(JNLPFile.ManifestBoolean.FALSE, jnlpFile.getManifestsAttributes().isSandboxForced());
Assert.assertEquals(JNLPFile.ManifestBoolean.FALSE, jnlpFile.getManifestsAttributes().isTrustedLibrary());
Assert.assertEquals(JNLPFile.ManifestBoolean.FALSE, jnlpFile.getManifestsAttributes().isTrustedOnly());
diff -r 68494e57c151 -r d1584d50c1e9 tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.html
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.html Fri Aug 01 11:29:26 2014 -0400
@@ -0,0 +1,48 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+
+ -->
+<html>
+ <head></head>
+ <body>
+ <applet code="signed.PartiallySignedAppletManifestSpecifiesSandboxSigned"
+ archive="PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jar,PartiallySignedAppletManifestSpecifiesAllPermission.jar"
+ codebase="."
+ width="640"
+ height="480">
+ </applet>
+ </body>
+</html>
diff -r 68494e57c151 -r d1584d50c1e9 tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jnlp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/reproducers/custom/PartiallySignedAppletManifestSpecifiesSandbox/resources/PartiallySignedAppletManifestSpecifiesAllPermissionSigned.jnlp Fri Aug 01 11:29:26 2014 -0400
@@ -0,0 +1,56 @@
+<!--
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+IcedTea is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
More information about the distro-pkg-dev
mailing list