EXTREME weirdness - applet writing without permissions

Andrew Azores aazores at redhat.com
Mon Mar 17 16:58:05 UTC 2014 

>Hi folks,
>
>here is something really really weird. I have this applet:
>http://tinybrain.de:8080/tb-applet/chat-applet.php
>
>with this source code (you can verify!):
>
><applet id="theapplet" code="net.luaos.tb.tb16.ComputerChatApplet.class"
>width="100%" height="300" alt="Java Applet" archive="magic.jar?3195969">
>  <!--<param name="permissions" value="all-permissions" />-->
></applet>
></div>
>
>Clearly, all-permissions is just a comment. I also get no security dialog
>or anything, so it's a SANDBOXED applet.

How are you determining that it's sandboxed? What version of ITW are you running, and what are your settings in Extended Applet Security (check with itweb-settings)? When I run your applet, I get a dialog informing me that it's a signed applet but that it couldn't be verified - but signed, nonetheless. As far as I can tell based on what I'm seeing in the setup of your applet, this is correct.

>
>However, I can clearly see it accessing my disk. I enter "hello" in the
>chat field, and instantly, a file in ~/.tinybrain is created on my
>partition.
>
>By an untrusted applet.
>
>How's it possible?
>
>Process dump:
>
>stefan     746 32001  0 17:22 ?        00:00:00
>/usr/lib/firefox/plugin-container
>/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/IcedTeaPlugin.so -greomni
>/usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir
>/usr/lib/firefox/browser 32001 true plugin
>stefan     754   746  1 17:22 ?        00:00:04
>/usr/lib/jvm/java-7-openjdk-i386/bin/java
>-Xbootclasspath/a:/usr/share/icedtea-web/netx.jar:/usr/share/icedtea-web/plugin.jar
>-classpath /usr/lib/jvm/java-7-openjdk-i386/lib/rt.jar
>sun.applet.PluginMain
>/tmp/icedteaplugin-stefan/746-icedteanp-plugin-to-appletviewer
>/tmp/icedteaplugin-stefan/746-icedteanp-appletviewer-to-plugin
>
>Note: I also use signed applets, using the same .jar, on other pages. Maybe
>that slips through to this applet? But still, it's totally out of spec that
>this applet can write stuff to disk, or is it?

This sounds to me like the root of the confusion here. If your applet resides within a signed JAR, it is treated as if it is signed, unless your applet tag in the HTML specifies that it should be sandboxed anyway [0]. ``If the permissions parameter is not present, signed applets default to "all-permissions" and unsigned applets default to "sandbox".'' If you want this applet to only be able to run with sandbox permissions, without having to specify this in the html, then you need to put it in its own unsigned JAR.

>
>Cheers,
>Stefan

[0] http://docs.oracle.com/javase/tutorial/deployment/applet/html.html

Thanks,

Andrew A

More information about the distro-pkg-dev mailing list