[rfc][icedtea-web] u51 classpath manifest entry implementation

[Jiri Vanek]

On 03/31/2014 09:29 PM, Omair Majid wrote:
> * Jiri Vanek <jvanek at redhat.com> [2014-02-05 13:16]:
>> So here is first impelmentation of more complex D-I-D manifest attributes:
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html
>>
>> the codebase
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#codebase
>>
>> The classapth matcher is quite complex, as its going to be reused in
>> Application-Library-Allowable-Codebase and Caller-Allowable-Codebase Attribute
>
>> +        if (s.startsWith("*") && s.endsWith("*")) {
>> +            return "^.*\\Q" + s.substring(1, s.length() - 1) + "\\E.*$";
>> +        } else if (s.endsWith("*")) {
>> +            return "^\\Q" + s.substring(0, s.length() - 1) + "\\E.*$";
>> +
>> +        } else if (s.startsWith("*")) {
>> +            return "^.*\\Q" + s.substring(1) + "\\E$";
>> +
>> +        } else {
>> +            return "^\\Q" + s + "\\E$";
>> +        }
>
> Sorry for spotting this so late, but I think creating regular
> expressions by string concatenation without sanitizing the input string
> is a bad idea. Just like SQL-injection, this allows users to craft
> special strings that contain \Q and \E to bypass/workaround our checks
> and restrictions.

Nice catch!

like this?
(as atatched)

Thanx!
>
> Please use Pattern.quote [1].
>
> Thanks,
> Omair
>
> [1] http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html#quote(java.lang.String)
>

-------------- next part --------------
diff -r dc0a77856cb4 netx/net/sourceforge/jnlp/util/ClasspathMatcher.java
--- a/netx/net/sourceforge/jnlp/util/ClasspathMatcher.java	Mon Mar 31 13:27:48 2014 -0400
+++ b/netx/net/sourceforge/jnlp/util/ClasspathMatcher.java	Mon Mar 31 21:44:30 2014 +0200
@@ -318,22 +318,20 @@
         }
         /*
          * coment for lazybones:
-         * \Q is start of citation
-         * \E is end of citation
-         *  - all characters in citation are threated as are without any special meaning
+         *  Pattern.quote - all characters in citation are threated as are without any special meaning
          * ^ is start of th e line
          * $ is end of the line
          */
         if (s.startsWith("*") && s.endsWith("*")) {
-            return "^.*\\Q" + s.substring(1, s.length() - 1) + "\\E.*$";
+            return "^.*" + Pattern.quote(s.substring(1, s.length() - 1)) + ".*$";
         } else if (s.endsWith("*")) {
-            return "^\\Q" + s.substring(0, s.length() - 1) + "\\E.*$";
+            return "^" + Pattern.quote(s.substring(0, s.length() - 1)) + ".*$";
 
         } else if (s.startsWith("*")) {
-            return "^.*\\Q" + s.substring(1) + "\\E$";
+            return "^.*" + Pattern.quote(s.substring(1)) + "$";
 
         } else {
-            return "^\\Q" + s + "\\E$";
+            return "^" + Pattern.quote(s) + "$";
         }
     }