/hg/icedtea-web: Fix for TemporaryPermissionsButton NPE on HTTPS...

aazores at icedtea.classpath.org aazores at icedtea.classpath.org
Sat Sep 13 17:23:40 UTC 2014 

changeset 90faf53bb981 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=90faf53bb981
author: Andrew Azores <aazores at redhat.com>
date: Sat Sep 13 13:23:26 2014 -0400

	Fix for TemporaryPermissionsButton NPE on HTTPS Cert warnings

	2014-09-13  Andrew Azores  <aazores at redhat.com>

		* netx/net/sourceforge/jnlp/resources/Messages.properties
		(CertWarnHTTPSAcceptTip, CertWarnHTTPSRejectTip): new messages more
		applicable for HTTPS cert warning dialogs
		* netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java:
		distinguish between HTTPS cert warnings and signed applet cert warnings.
		Display appropriate text labels and buttons corresponding to either case.
		* netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java:
		remove assertions for non-null file, securityDelegate, and linkedButton.
		Instead, if any are null, simply disable this component and do not add
		component listeners dependent upon these fields.


diffstat:

 ChangeLog                                                                  |  13 +++
 netx/net/sourceforge/jnlp/resources/Messages.properties                    |   2 +
 netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java            |  41 +++++++--
 netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java |  32 +++++--
 4 files changed, 67 insertions(+), 21 deletions(-)

diffs (164 lines):

diff -r e30d71ab91c6 -r 90faf53bb981 ChangeLog
--- a/ChangeLog	Wed Sep 10 10:22:46 2014 -0400
+++ b/ChangeLog	Sat Sep 13 13:23:26 2014 -0400
@@ -1,3 +1,16 @@
+2014-09-13  Andrew Azores  <aazores at redhat.com>
+
+	* netx/net/sourceforge/jnlp/resources/Messages.properties
+	(CertWarnHTTPSAcceptTip, CertWarnHTTPSRejectTip): new messages more
+	applicable for HTTPS cert warning dialogs
+	* netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java:
+	distinguish between HTTPS cert warnings and signed applet cert warnings.
+	Display appropriate text labels and buttons corresponding to either case.
+	* netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java:
+	remove assertions for non-null file, securityDelegate, and linkedButton.
+	Instead, if any are null, simply disable this component and do not add
+	component listeners dependent upon these fields.
+
 2014-09-10  Lukasz Dracz  <ldracz at redhat.com>
 
 	Refactor of the cache panel GUI in itweb-settings
diff -r e30d71ab91c6 -r 90faf53bb981 netx/net/sourceforge/jnlp/resources/Messages.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties	Wed Sep 10 10:22:46 2014 -0400
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties	Sat Sep 13 13:23:26 2014 -0400
@@ -25,6 +25,8 @@
 CertWarnCancelTip=Do not run this applet
 CertWarnPolicyTip=Advanced sandbox settings
 CertWarnPolicyEditorItem=Launch PolicyEditor
+CertWarnHTTPSAcceptTip=Accept this certificate and trust the HTTPS connection
+CertWarnHTTPSRejectTip=Do not accept this certificate and do not establish the HTTPS connection
 
 AFileOnTheMachine=a file on the machine
 AlwaysAllowAction=Always allow this action
diff -r e30d71ab91c6 -r 90faf53bb981 netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java
--- a/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java	Wed Sep 10 10:22:46 2014 -0400
+++ b/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java	Sat Sep 13 13:23:26 2014 -0400
@@ -224,7 +224,8 @@
         infoPanel.add(nameLabel);
         infoPanel.add(publisherLabel);
 
-        if (!(certVerifier instanceof HttpsCertVerifier)) {
+        final boolean isHttpsCertTrustDialog = certVerifier instanceof HttpsCertVerifier;
+        if (!isHttpsCertTrustDialog) {
             infoPanel.add(fromLabel);
         }
 
@@ -233,15 +234,34 @@
 
         //run and cancel buttons
         buttonPanel = new JPanel(new FlowLayout(FlowLayout.RIGHT));
-        run = new JButton(R("ButRun"));
+        run = new JButton();
+        if (isHttpsCertTrustDialog) {
+            run.setText(R("ButYes"));
+        } else {
+            run.setText(R("ButRun"));
+        }
         sandbox = new JButton(R("ButSandbox"));
         advancedOptions = new TemporaryPermissionsButton(file, securityDelegate, sandbox);
-        cancel = new JButton(R("ButCancel"));
 
-        run.setToolTipText(R("CertWarnRunTip"));
+        cancel = new JButton();
+        if (isHttpsCertTrustDialog) {
+            cancel.setText(R("ButNo"));
+        } else {
+            cancel.setText(R("ButCancel"));
+        }
+
+        if (isHttpsCertTrustDialog) {
+            run.setToolTipText(R("CertWarnHTTPSAcceptTip"));
+        } else {
+            run.setToolTipText(R("CertWarnRunTip"));
+        }
         sandbox.setToolTipText(R("CertWarnSandboxTip"));
         advancedOptions.setToolTipText(R("CertWarnPolicyTip"));
-        cancel.setToolTipText(R("CertWarnCancelTip"));
+        if (isHttpsCertTrustDialog) {
+            cancel.setToolTipText(R("CertWarnHTTPSRejectTip"));
+        } else {
+            cancel.setToolTipText(R("CertWarnCancelTip"));
+        }
 
         alwaysTrust.addActionListener(new ButtonDisableListener(sandbox));
         int buttonWidth = Math.max(run.getMinimumSize().width,
@@ -266,11 +286,12 @@
 
         initialFocusComponent = cancel;
         buttonPanel.add(run);
-        // file will be null iff this dialog is being called from VariableX509TrustManager.
-        // In this case, the "sandbox" button does not make any sense, as we are asking
-        // the user if they trust some certificate that is not being used to sign an app.
-        // Since there is no app, there is nothing to run sandboxed.
-        if (file != null) {
+        // Only iff this dialog is being invoked by VariableX509TrustManager.
+        // In this case, the "sandbox" button and temporary permissions do not make any sense,
+        // as we are asking the user if they trust some certificate that is not being used to sign an app
+        // (eg "do you trust this certificate presented for the HTTPS connection to the applet's host site")
+        // Since this dialog isn't talking about an applet/application, there is nothing to run sandboxed.
+        if (!isHttpsCertTrustDialog) {
             buttonPanel.add(sandbox);
             buttonPanel.add(advancedOptions);
         }
diff -r e30d71ab91c6 -r 90faf53bb981 netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java
--- a/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java	Wed Sep 10 10:22:46 2014 -0400
+++ b/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java	Sat Sep 13 13:23:26 2014 -0400
@@ -49,7 +49,6 @@
 import java.security.Permission;
 import java.util.Collection;
 import java.util.HashSet;
-import java.util.Objects;
 
 import javax.swing.AbstractButton;
 import javax.swing.JButton;
@@ -64,6 +63,7 @@
 import net.sourceforge.jnlp.security.policyeditor.PolicyEditor;
 import net.sourceforge.jnlp.security.policyeditor.PolicyEditor.PolicyEditorWindow;
 import net.sourceforge.jnlp.security.policyeditor.PolicyEditorPermissions;
+import net.sourceforge.jnlp.util.logging.OutputController;
 
 public class TemporaryPermissionsButton extends JButton {
 
@@ -75,22 +75,32 @@
     private final Collection<Permission> temporaryPermissions = new HashSet<>();
 
     public TemporaryPermissionsButton(final JNLPFile file, final SecurityDelegate securityDelegate, final JButton linkedButton) {
+        /* If any of the above parameters are null, then the button cannot function - in particular, a null SecurityDelegate
+         * would prevent temporary permissions from being able to be added; a null JNLPFile would prevent PolicyEditor from
+         * being launched with a sensible codebase for the current applet; and a null JButton would prevent the Sandbox button
+         * from being automatically invoked when a set of temporary permissions are selected by the user.
+         */
         super("\u2630");
-        Objects.requireNonNull(file);
-        Objects.requireNonNull(securityDelegate);
-        Objects.requireNonNull(linkedButton);
         this.menu = createPolicyPermissionsMenu();
         this.linkedButton = linkedButton;
         this.file = file;
         this.securityDelegate = securityDelegate;
 
-        linkedButton.addActionListener(new ActionListener() {
-            @Override
-            public void actionPerformed(ActionEvent e) {
-                securityDelegate.addPermissions(temporaryPermissions);
-            }
-        });
-        addMouseListener(new PolicyEditorPopupListener(this));
+        if (file == null || securityDelegate == null || linkedButton == null) {
+            this.setEnabled(false);
+            OutputController.getLogger().log(OutputController.Level.MESSAGE_DEBUG, "Temporary Permissions Button disabled due to null fields."
+                    + " file: " + file
+                    + ", securityDelegate: " + securityDelegate
+                    + ", linkedButton: " + linkedButton);
+        } else {
+            linkedButton.addActionListener(new ActionListener() {
+                @Override
+                public void actionPerformed(ActionEvent e) {
+                    securityDelegate.addPermissions(temporaryPermissions);
+                }
+            });
+            addMouseListener(new PolicyEditorPopupListener(this));
+        }
     }
 
     private JPopupMenu createPolicyPermissionsMenu() {

More information about the distro-pkg-dev mailing list