[rfc][icedtea-web] implemented Application-Library-Allowable-Codebase Attribute

Jiri Vanek jvanek at redhat.com
Thu Feb 27 09:11:43 PST 2014 

hi!

Implementation of -  Application-Library-Allowable-Codebase Attribute. Well it grow a bit.

The implementation itself, is as straightforward as terrible "specification" allowed  (please 
reviwer, study the specification too:( )

However, many workarounds were needed:

  *  netx/net/sourceforge/jnlp/JNLPFile.java and 
netx/net/sourceforge/jnlp/util/ClasspathMatcher.java : It appeared, that this attribute honors path 
in pattern. Luckily the matcher was prepared for it, and now it is just conditionally enabled.

* dialogues - still the same with one detail  - the remember option do not work. I'm not sure if I 
wont to use already implemented whitelist from Extended Applets Security... Well  why not? Becasue 
all alowed appelts will be able to run rmeote context...But well.. why not? If I will reuse it, then 
MatchingALACAttributePanel will be reworked.

* netx/net/sourceforge/jnlp/util/UrlUtils.java - this was most unlucky - two new utility methods - 
to remove name filename from url path, and to compare urls no meter if there is tailing slash.
  - the exctraction of name is for puposes to find the uri of its location, which is then matched 
against attribute
  - the comparison without tailing slash is not so clear - There is only one suecase of it :

+        if (usedUrls.size() == 1) {
+            if (UrlUtils.equalsIgnoreLastSlash(usedUrls.toArray(new URL[]{})[0], codebase)
+                    && UrlUtils.equalsIgnoreLastSlash(usedUrls.toArray(new URL[]{})[0], 
documentBase)) {
+                //all resoources are from codebase or document base. it is ok to proceeed.
+                OutputController.getLogger().log("All applications resources (" + 
usedUrls.toArray(new URL[]{})[0] + ") are from codebas/documentbase " + codebase + "/" + 
documentBase + ", skipping Application-Library-Allowable-Codebase Attribute check.");
+                return;
+            }
+        }


It happened that different applications have or have not the trailing slash On codebase and so the 
implementation of removeFileName was burdened by keep trailing slash or not. This is workarround.



*however* I'm a hesitating how to deal with it in Matcher. I adapted it (if compare of paths is 
true) that some.url/some/path matches both some.url/some/path/ and some.url/some/path, but 
some.url/some/path/ do not match some.url/some/path (matches only some.url/some/path/)
I consider it as lowest evil....:(

All should be unittested as much as possible.
I'm still taking deep breath before doing reproducers for both this and permissions.


Thanx in advance,
  J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alaca_01.patch
Type: text/x-patch
Size: 46870 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140227/b51a3048/alaca_01-0001.patch

More information about the distro-pkg-dev mailing list