[rfc][icedteaweb] Support for Entry-Point manifest attribute
Jacob Wisor
gitne at gmx.de
Wed Mar 4 09:01:10 UTC 2015
Hello there! :-)
On 02/25/2015 06:25 PM, Jiri Vanek wrote:
> On 02/25/2015 06:19 PM, Jiri Vanek wrote:
>> Hello, this is impl of another security manifest att:
>> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#entry_pt
>>
>> I would like to go with it to 1.5 too.
>>
>> Speaking about the attributes:
>> does http://www.geogebra.org/webstart/geogebra.jnlp library loading promt
>> seems correct to you?
>>
>> J.
> Crap - improved one
>
> The check is valid only if RIA is signed. I had it removed for testing...
> diff -r b053e7638d7f netx/net/sourceforge/jnlp/JNLPFile.java
> --- a/netx/net/sourceforge/jnlp/JNLPFile.java Wed Feb 25 15:40:44 2015 +0100
> +++ b/netx/net/sourceforge/jnlp/JNLPFile.java Wed Feb 25 18:23:18 2015 +0100
> @@ -900,6 +900,8 @@
> public static final String CODEBASE = "Codebase";
> public static final String TRUSTED_ONLY = "Trusted-Only";
> public static final String TRUSTED_LIBRARY = "Trusted-Library";
> + public static final String ENTRY_POINT="Entry-Point";
> +
> private JNLPClassLoader loader;
>
>
> @@ -925,6 +927,18 @@
> return loader.getMainClass();
> }
>
> + /**
> + *
> + * http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#entry_pt
> + */
> + public String[] getEntryPoints() {
> + return splitEntryPoints(getEntryPointString());
> + }
> +
> + public String getEntryPointString() {
> + return getAttribute(ENTRY_POINT);
Warning: This effectively searches *all* JAR resource files for an Entry-Point
attribute if the "main JAR" file's manifest does not have an Entry-Point attribute.
getAttribute(ENTRY_POINT) -> JNLPFile.getAttribute(new Attributes.Name(name)) ->
JNLPFile.loader.checkForAttributeInJars(Arrays.asList(getResources().getJARs()),
name)
So, even though JNLPClassLoader.checkForAttributeInJars() checks the main JAR
file (whatever this might be, I guess this is the /first/ JAR file with a proper
Main-Class attribute in its manifest) for the Entry-Point attribute first, this
JAR file may not actually have one. Then, it goes on checking all other resource
JAR files and one of them may have one. Although an application suite of JAR
files could theoretically cross-reference entry points (main classes) over
different JAR files, I do not think this is legal and is not intended by the
specification. We should make sure that no cross-referencing in JAR files is
allowed, in other words that Entry-Point as well as Main-Class attributes can
only reference classes in the local JAR file. I may be wrong but you should
definitely create a test for this.
> + }
> +
> /**
> * http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#app_name
> */
> @@ -1047,8 +1061,8 @@
> }
> }
> }
> - }
> -
> + }
> +
> public String createJnlpVendorValue() {
> final String location;
> if (getSourceLocation() != null) {
> @@ -1088,7 +1102,17 @@
> return createJnlpTitleValue();
> }
> return getTitle() + " from " + createJnlpTitleValue();
> -
> + }
> +
> + static String[] splitEntryPoints(String eps) {
> + if (eps == null || eps.trim().isEmpty()) {
> + return null;
> + }
> + String[] result = eps.trim().split("\\s+");
This is actually supposed to be splitting *fully* *qualified* *class* *names*,
not just arbitrary strings separated by an arbitrary count of white space
([ \t\n\x0B\f\r])characters. In fact, the specification speaks of exactly *a*
*space*. This reads to me like exactly *one* *space* (U+0020) character.
java.util.jar.Attributes.Name take care of checking proper formatting of the
Entry-Point attribute name. But what about the proper formatting of the value?
So I guess IcedTea-Web fails only when it comes to actually loading the classes
or something that is supposed to be a fully qualified class name. Hence, one
could get away with non-existent class names, class names in other JAR files, or
whatever string garbage as long as it is separated by white spaces. I don't
know, this seems a little bit over tolerant for me, more like lax than tolerant.
Besides, please try giving a thought about context meaningful names, like
entryPointAttributeValue for eps and splitEntryPoints for result.
> + if (result.length == 0) {
> + return null;
> + }
> + return result;
return result.length > 0 ? result : null; ;-)
> }
> }
>
> diff -r b053e7638d7f netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
> --- a/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Wed Feb 25 15:40:44 2015 +0100
> +++ b/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Wed Feb 25 18:23:18 2015 +0100
> @@ -81,6 +81,7 @@
> checkCodebaseAttribute();
> checkPermissionsAttribute();
> checkApplicationLibraryAllowableCodebaseAttribute();
> + checkEntryPoint();
> } else {
> OutputController.getLogger().log(OutputController.Level.WARNING_ALL, "Manifest attribute checks are disabled.");
> }
> @@ -90,6 +91,28 @@
> final String deploymentProperty = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
> return Boolean.parseBoolean(deploymentProperty);
> }
> +
> + /*
> + * http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#entry_pt
> + */
> + private void checkEntryPoint() throws LaunchException {
> + if (signing == SigningState.NONE) {
> + return; /*when app is not signed at all, then skip this check*/
> + }
> + final String[] eps = file.getManifestsAttributes().getEntryPoints();
> + String mainClass = file.getLaunchInfo().getMainClass();
> + if (eps == null) {
> + OutputController.getLogger().log(OutputController.Level.MESSAGE_DEBUG, "Entry-Point manifest attribute for yours '" + mainClass + "'not found. Continuing.");
> + return;
> + }
> + for (String ep : eps) {
> + if (ep.equals(mainClass)) {
> + OutputController.getLogger().log(OutputController.Level.MESSAGE_DEBUG, "Entry-Point od " + ep + " mathches " + mainClass + " continuing.");
> + return;
> + }
> + }
> + throw new LaunchException("None of '" + file.getManifestsAttributes().getEntryPointString() + "' matched yours " + mainClass + ". Thats fatal.");
> + }
So, no check for fully qualified (and locally existing) class names even here?
Please test this patch more thoroughly.
Jacob
More information about the distro-pkg-dev
mailing list