EXTREME weirdness - applet writing without permissions

Stefan Reich stefan.reich.maker.of.eye at googlemail.com
Mon Mar 17 17:06:44 UTC 2014 

Oh... OK. So I misunderstood (mis-guessed) the spec. I see!

So I'll have to put an unsigned applet there to have it sandboxed.

Thanks for investigating,
Stefan


On Mon, Mar 17, 2014 at 5:58 PM, Andrew Azores <aazores at redhat.com> wrote:

> >Hi folks,
> >
> >here is something really really weird. I have this applet:
> >http://tinybrain.de:8080/tb-applet/chat-applet.php
> >
> >with this source code (you can verify!):
> >
> ><applet id="theapplet" code="net.luaos.tb.tb16.ComputerChatApplet.class"
> >width="100%" height="300" alt="Java Applet" archive="magic.jar?3195969">
> >  <!--<param name="permissions" value="all-permissions" />-->
> ></applet>
> ></div>
> >
> >Clearly, all-permissions is just a comment. I also get no security dialog
> >or anything, so it's a SANDBOXED applet.
>
> How are you determining that it's sandboxed? What version of ITW are you
> running, and what are your settings in Extended Applet Security (check with
> itweb-settings)? When I run your applet, I get a dialog informing me that
> it's a signed applet but that it couldn't be verified - but signed,
> nonetheless. As far as I can tell based on what I'm seeing in the setup of
> your applet, this is correct.
>
> >
> >However, I can clearly see it accessing my disk. I enter "hello" in the
> >chat field, and instantly, a file in ~/.tinybrain is created on my
> >partition.
> >
> >By an untrusted applet.
> >
> >How's it possible?
> >
> >Process dump:
> >
> >stefan     746 32001  0 17:22 ?        00:00:00
> >/usr/lib/firefox/plugin-container
> >/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/IcedTeaPlugin.so -greomni
> >/usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir
> >/usr/lib/firefox/browser 32001 true plugin
> >stefan     754   746  1 17:22 ?        00:00:04
> >/usr/lib/jvm/java-7-openjdk-i386/bin/java
>
> >-Xbootclasspath/a:/usr/share/icedtea-web/netx.jar:/usr/share/icedtea-web/plugin.jar
> >-classpath /usr/lib/jvm/java-7-openjdk-i386/lib/rt.jar
> >sun.applet.PluginMain
> >/tmp/icedteaplugin-stefan/746-icedteanp-plugin-to-appletviewer
> >/tmp/icedteaplugin-stefan/746-icedteanp-appletviewer-to-plugin
> >
> >Note: I also use signed applets, using the same .jar, on other pages.
> Maybe
> >that slips through to this applet? But still, it's totally out of spec
> that
> >this applet can write stuff to disk, or is it?
>
> This sounds to me like the root of the confusion here. If your applet
> resides within a signed JAR, it is treated as if it is signed, unless your
> applet tag in the HTML specifies that it should be sandboxed anyway [0].
> ``If the permissions parameter is not present, signed applets default to
> "all-permissions" and unsigned applets default to "sandbox".'' If you want
> this applet to only be able to run with sandbox permissions, without having
> to specify this in the html, then you need to put it in its own unsigned
> JAR.
>
> >
> >Cheers,
> >Stefan
>
> [0] http://docs.oracle.com/javase/tutorial/deployment/applet/html.html
>
> Thanks,
>
> Andrew A
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140317/d237a92c/attachment.html>

More information about the distro-pkg-dev mailing list