/hg/icedtea-web: 4 new changesets
jvanek at icedtea.classpath.org
jvanek at icedtea.classpath.org
Thu Oct 8 09:52:28 UTC 2015
changeset 504f388af8f8 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=504f388af8f8
author: Jiri Vanek <jvanek at redhat.com>
date: Wed Oct 07 19:27:04 2015 +0200
Testserver enhanced to work also in hostname mode or ip mode
changeset f8ea40cc063d in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=f8ea40cc063d
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Oct 08 10:41:44 2015 +0200
All connection restrictions now consider also port
changeset 0436c24f6f29 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=0436c24f6f29
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Oct 08 11:26:35 2015 +0200
Tuned SOP reproducer to check also resource's connection and to work on localhost
changeset 2682417d5671 in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=2682417d5671
author: Jiri Vanek <jvanek at redhat.com>
date: Thu Oct 08 11:52:14 2015 +0200
NEWS: mentioned restriction about ports
diffstat:
ChangeLog | 67 +
Makefile.am | 9 +-
NEWS | 1 +
netx/net/sourceforge/jnlp/Parser.java | 2 +-
netx/net/sourceforge/jnlp/PluginBridge.java | 2 +-
netx/net/sourceforge/jnlp/SecurityDesc.java | 15 +-
netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java | 32 +-
netx/net/sourceforge/jnlp/util/UrlUtils.java | 12 +
plugin/icedteanp/java/sun/applet/PluginAppletViewer.java | 9 +-
tests/netx/unit/net/sourceforge/jnlp/SecurityDescTest.java | 4 +-
tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java | 32 +
tests/reproducers/signed/SOPBypassSigned/srcs/SOPBypassSigned.java | 40 +-
tests/reproducers/simple/SOPBypass/srcs/SOPBypass.java | 42 +-
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassBeforeAndAfterChunks.java | 112 +
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassHtmlAppletTest.java | 292 ++--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassJnlpAppletTest.java | 227 +--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassJnlpAppletTestWithHtmlSwitch.java | 286 ++--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedHtmlAppletTest.java | 274 ++--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedJnlpAppletTest.java | 261 ++--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedJnlpAppletTestWithHtmlSwitch.java | 267 ++--
tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassUtil.java | 565 ++++++++-
tests/test-extensions/net/sourceforge/jnlp/ServerAccess.java | 3 +
tests/test-extensions/net/sourceforge/jnlp/ServerLauncher.java | 69 +-
tests/test-extensions/net/sourceforge/jnlp/tools/DeploymentPropertiesModifier.java | 2 +-
24 files changed, 1630 insertions(+), 995 deletions(-)
diffs (truncated from 3902 to 500 lines):
diff -r c98095a2fb46 -r 2682417d5671 ChangeLog
--- a/ChangeLog Fri Oct 02 15:56:55 2015 +0200
+++ b/ChangeLog Thu Oct 08 11:52:14 2015 +0200
@@ -1,3 +1,70 @@
+2015-10-08 Jiri Vanek <jvanek at redhat.com>
+
+ * NEWS: mentioned restriction about ports
+
+2015-10-08 Jiri Vanek <jvanek at redhat.com>
+
+ Tuned SOP reproducer to check also resource's connection and to work on localhost
+ * .Makefile: added target (run-test-server-on-itwtestsport) which lunches
+ testserver on $ITWTESTSPORT port
+ * tests/reproducers/signed/SOPBypassSigned/srcs/SOPBypassSigned.java:
+ addapted to support resource's location
+ * tests/reproducers/simple/SOPBypass/srcs/SOPBypass.java: same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassBeforeAndAfterChunks.java:
+ extracted @before and @after hunks from other testcases to avoid duplicated code.
+ All test servers for this case are run in HOSTNAME mode to enforce visibility
+ of calls from localhost to localhost. Added utility methods above its instances,
+ deployment modifiers forces verbose (same reason)
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassHtmlAppletTest.java:
+ adapted to new api and added assertNoResourcesConnection/assertResourcesConnection
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassJnlpAppletTest.java:
+ same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassJnlpAppletTestWithHtmlSwitch.java:
+ same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedHtmlAppletTest.java:
+ same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedJnlpAppletTest.java:
+ same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassSignedJnlpAppletTestWithHtmlSwitch.java:
+ same
+ * tests/reproducers/simple/SOPBypass/testcases/sopbypasstests/SOPBypassUtil.java:
+ added logic to serve assertNoResourcesConnection/assertResourcesConnection.
+ Changed evaluation logic. To workaround ignorance of AccessDenied exception
+ from calls from localhost to localhost the check on pass fail is done in different way.
+ If connection is not expected, then no security exception is allowed to appear
+ nor "Denying permissions ..." string is allowed to appear.
+ If connection is expected, then appearance of security exception or
+ "Denying permissions ..." string is considered as failure.
+
+
+2015-10-07 Jiri Vanek <jvanek at redhat.com>
+
+ All connection restrictions now consider also port
+ * netx/net/sourceforge/jnlp/SecurityDesc.java: downloadHost redeclared to URL
+ and made final. All set/gets adapted
+ * netx/net/sourceforge/jnlp/Parser.java: (base) passes url to SecurityDesc
+ * netx/net/sourceforge/jnlp/PluginBridge.java: (PluginBridge) same
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: same
+ * plugin/icedteanp/java/sun/applet/PluginAppletViewer.java: (getApplet)
+ (getApplets) same
+ * netx/net/sourceforge/jnlp/util/UrlUtils.java: added methods sanitizePort and
+ getPort, which always returns port. If no port goes in, default port is going
+ out. Added getHostAndPort which returns host also with port.
+ * tests/netx/unit/net/sourceforge/jnlp/SecurityDescTest.java: adapted to new api
+ * tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java: tested new methods
+
+2015-10-07 Jiri Vanek <jvanek at redhat.com>
+
+ Testserver enhanced to work also in hostname mode or ip mode
+ * tests/test-extensions/net/sourceforge/jnlp/ServerAccess.java: added enum
+ declared constants for localhost, default protocol (http) and default
+ ip address (127.0.0.1)
+ * tests/test-extensions/net/sourceforge/jnlp/ServerLauncher.java: added enum
+ ServerNaming determining state, whether it respond as localhost, 127.0.0.1 or host-name
+ Added getter for each state, added getter to return all types. Added toString method
+ (stop) now reports what was stopped
+ * tests/test-extensions/net/sourceforge/jnlp/tools/DeploymentPropertiesModifier.java:
+
2015-10-02 Jiri Vanek <jvanek at redhat.com>
Fixed possible segfault during files on and debug on
diff -r c98095a2fb46 -r 2682417d5671 Makefile.am
--- a/Makefile.am Fri Oct 02 15:56:55 2015 +0200
+++ b/Makefile.am Thu Oct 08 11:52:14 2015 +0200
@@ -1399,7 +1399,14 @@
cd $(TEST_EXTENSIONS_DIR) ; \
CLASSPATH=$(call joinsegments, $(NETX_DIR)/lib/classes.jar $(JUNIT_RUNTIME) $(JUNIT_RUNNER_JAR) . $(TEST_EXTENSIONS_TESTS_DIR)) ; \
$(SYSTEM_JRE_DIR)/bin/java $(REPRODUCERS_DPARAMETERS) \
- -Xbootclasspath/a:$$CLASSPATH net.sourceforge.jnlp.ServerAccess randomport
+ -Xbootclasspath/a:$$CLASSPATH net.sourceforge.jnlp.ServerAccess randomport
+
+run-test-server-on-itwtestsport: stamps/netx.stamp stamps/junit-jnlp-dist-dirs stamps/netx-dist-tests-import-cert-to-public \
+ stamps/test-extensions-compile.stamp stamps/compile-reproducers-testcases.stamp $(JUNIT_RUNNER_JAR) stamps/copy-reproducers-resources.stamp
+ cd $(TEST_EXTENSIONS_DIR) ; \
+ CLASSPATH=$(call joinsegments, $(NETX_DIR)/lib/classes.jar $(JUNIT_RUNTIME) $(JUNIT_RUNNER_JAR) . $(TEST_EXTENSIONS_TESTS_DIR)) ; \
+ $(SYSTEM_JRE_DIR)/bin/java $(REPRODUCERS_DPARAMETERS) \
+ -Xbootclasspath/a:$$CLASSPATH net.sourceforge.jnlp.ServerAccess $$ITWTESTSPORT
clean-netx-tests: clean-netx-unit-tests clean-junit-runner clean-netx-dist-tests clean-test-code-coverage-jacoco
if [ -e $(TESTS_DIR)/netx ]; then \
diff -r c98095a2fb46 -r 2682417d5671 NEWS
--- a/NEWS Fri Oct 02 15:56:55 2015 +0200
+++ b/NEWS Thu Oct 08 11:52:14 2015 +0200
@@ -9,6 +9,7 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release 1.7 (2015-XX-XX):
+* all connection restrictions now consider also port
* Enabled Entry-Point attribute check
* permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all.
* fixed DownloadService
diff -r c98095a2fb46 -r 2682417d5671 netx/net/sourceforge/jnlp/Parser.java
--- a/netx/net/sourceforge/jnlp/Parser.java Fri Oct 02 15:56:55 2015 +0200
+++ b/netx/net/sourceforge/jnlp/Parser.java Thu Oct 08 11:52:14 2015 +0200
@@ -622,7 +622,7 @@
}
if (base != null) {
- return new SecurityDesc(file, requestedPermissionLevel, type, base.getHost());
+ return new SecurityDesc(file, requestedPermissionLevel, type, base);
} else {
return new SecurityDesc(file, requestedPermissionLevel, type, null);
}
diff -r c98095a2fb46 -r 2682417d5671 netx/net/sourceforge/jnlp/PluginBridge.java
--- a/netx/net/sourceforge/jnlp/PluginBridge.java Fri Oct 02 15:56:55 2015 +0200
+++ b/netx/net/sourceforge/jnlp/PluginBridge.java Thu Oct 08 11:52:14 2015 +0200
@@ -224,7 +224,7 @@
if (main.endsWith(".class")) //single class file only
security = new SecurityDesc(this, SecurityDesc.SANDBOX_PERMISSIONS,
- codebase.getHost());
+ codebase);
else
security = null;
diff -r c98095a2fb46 -r 2682417d5671 netx/net/sourceforge/jnlp/SecurityDesc.java
--- a/netx/net/sourceforge/jnlp/SecurityDesc.java Fri Oct 02 15:56:55 2015 +0200
+++ b/netx/net/sourceforge/jnlp/SecurityDesc.java Thu Oct 08 11:52:14 2015 +0200
@@ -22,6 +22,7 @@
import java.net.SocketPermission;
import java.net.URI;
import java.net.URISyntaxException;
+import java.net.URL;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permission;
@@ -33,6 +34,7 @@
import net.sourceforge.jnlp.config.DeploymentConfiguration;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
+import net.sourceforge.jnlp.util.UrlUtils;
import net.sourceforge.jnlp.util.logging.OutputController;
/**
@@ -132,7 +134,7 @@
private Object type;
/** the download host */
- private String downloadHost;
+ final private URL downloadHost;
/** whether sandbox applications should get the show window without banner permission */
private final boolean grantAwtPermissions;
@@ -256,7 +258,7 @@
* @param type the type of security
* @param downloadHost the download host (can always connect to)
*/
- public SecurityDesc(JNLPFile file, RequestedPermissionLevel requestedPermissionLevel, Object type, String downloadHost) {
+ public SecurityDesc(JNLPFile file, RequestedPermissionLevel requestedPermissionLevel, Object type, URL downloadHost) {
if (file == null) {
throw new NullJnlpFileException();
}
@@ -278,7 +280,7 @@
* @param type the type of security
* @param downloadHost the download host (can always connect to)
*/
- public SecurityDesc(JNLPFile file, Object type, String downloadHost) {
+ public SecurityDesc(JNLPFile file, Object type, URL downloadHost) {
this(file, RequestedPermissionLevel.NONE, type, downloadHost);
}
@@ -375,9 +377,10 @@
}
}
- if (downloadHost != null && downloadHost.length() > 0)
- permissions.add(new SocketPermission(downloadHost,
- "connect, accept"));
+ if (downloadHost != null && downloadHost.getHost().length() > 0) {
+ permissions.add(new SocketPermission(UrlUtils.getHostAndPort(downloadHost),
+ "connect, accept"));
+ }
final Collection<Permission> urlPermissions = getUrlPermissions();
for (final Permission permission : urlPermissions) {
diff -r c98095a2fb46 -r 2682417d5671 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Fri Oct 02 15:56:55 2015 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Thu Oct 08 11:52:14 2015 +0200
@@ -318,7 +318,7 @@
private void setSecurity() throws LaunchException {
URL codebase = UrlUtils.guessCodeBase(file);
- this.security = securityDelegate.getClassLoaderSecurity(codebase.getHost());
+ this.security = securityDelegate.getClassLoaderSecurity(codebase);
}
/**
@@ -754,7 +754,7 @@
validJars.add(jarDesc);
final URL codebase = getJnlpFileCodebase();
- final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase.getHost());
+ final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase);
if (jarSecurity.getSecurityType().equals(SecurityDesc.SANDBOX_PERMISSIONS)) {
containsUnsignedJar = true;
} else {
@@ -778,7 +778,7 @@
for (JARDesc jarDesc : validJars) {
final URL codebase = getJnlpFileCodebase();
- final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase.getHost());
+ final SecurityDesc jarSecurity = securityDelegate.getCodebaseSecurityDesc(jarDesc, codebase);
jarLocationSecurityMap.put(jarDesc.getLocation(), jarSecurity);
}
@@ -1183,7 +1183,7 @@
// Class from host X should be allowed to connect to host X
if (cs.getLocation() != null && cs.getLocation().getHost().length() > 0)
- result.add(new SocketPermission(cs.getLocation().getHost(),
+ result.add(new SocketPermission(UrlUtils.getHostAndPort(cs.getLocation()),
"connect, accept"));
return result;
@@ -1297,7 +1297,7 @@
codebase = file.getResources().getMainJAR().getLocation();
}
- final SecurityDesc jarSecurity = securityDelegate.getJarPermissions(codebase.getHost());
+ final SecurityDesc jarSecurity = securityDelegate.getJarPermissions(codebase);
try {
URL fileURL = new URL("file://" + extractedJarLocation);
@@ -1625,7 +1625,7 @@
checkTrustWithUser();
- final SecurityDesc security = securityDelegate.getJarPermissions(file.getCodeBase().getHost());
+ final SecurityDesc security = securityDelegate.getJarPermissions(file.getCodeBase());
jarLocationSecurityMap.put(remoteURL, security);
@@ -2244,7 +2244,7 @@
// Permissions for all remote hosting urls
synchronized (jarLocationSecurityMap) {
for (URL u : jarLocationSecurityMap.keySet()) {
- permissions.add(new SocketPermission(u.getHost(),
+ permissions.add(new SocketPermission(UrlUtils.getHostAndPort(u),
"connect, accept"));
}
}
@@ -2252,7 +2252,7 @@
// Permissions for codebase urls (if there is a loader)
if (codeBaseLoader != null) {
for (URL u : codeBaseLoader.getURLs()) {
- permissions.add(new SocketPermission(u.getHost(),
+ permissions.add(new SocketPermission(UrlUtils.getHostAndPort(u),
"connect, accept"));
}
}
@@ -2285,11 +2285,11 @@
public boolean userPromptedForSandbox();
- public SecurityDesc getCodebaseSecurityDesc(final JARDesc jarDesc, final String codebaseHost);
-
- public SecurityDesc getClassLoaderSecurity(final String codebaseHost) throws LaunchException;
-
- public SecurityDesc getJarPermissions(final String codebaseHost);
+ public SecurityDesc getCodebaseSecurityDesc(final JARDesc jarDesc, final URL codebaseHost);
+
+ public SecurityDesc getClassLoaderSecurity(final URL codebaseHost) throws LaunchException;
+
+ public SecurityDesc getJarPermissions(final URL codebaseHost);
public void promptUserOnPartialSigning() throws LaunchException;
@@ -2326,7 +2326,7 @@
}
@Override
- public SecurityDesc getCodebaseSecurityDesc(final JARDesc jarDesc, final String codebaseHost) {
+ public SecurityDesc getCodebaseSecurityDesc(final JARDesc jarDesc, final URL codebaseHost) {
if (runInSandbox) {
return new SecurityDesc(classLoader.file,
SecurityDesc.SANDBOX_PERMISSIONS,
@@ -2356,7 +2356,7 @@
}
@Override
- public SecurityDesc getClassLoaderSecurity(final String codebaseHost) throws LaunchException {
+ public SecurityDesc getClassLoaderSecurity(final URL codebaseHost) throws LaunchException {
if (isPluginApplet()) {
if (!runInSandbox && classLoader.getSigning()) {
return new SecurityDesc(classLoader.file,
@@ -2398,7 +2398,7 @@
}
@Override
- public SecurityDesc getJarPermissions(final String codebaseHost) {
+ public SecurityDesc getJarPermissions(final URL codebaseHost) {
if (!runInSandbox && classLoader.jcv.isFullySigned()) {
// Already trust application, nested jar should be given
return new SecurityDesc(classLoader.file,
diff -r c98095a2fb46 -r 2682417d5671 netx/net/sourceforge/jnlp/util/UrlUtils.java
--- a/netx/net/sourceforge/jnlp/util/UrlUtils.java Fri Oct 02 15:56:55 2015 +0200
+++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Thu Oct 08 11:52:14 2015 +0200
@@ -332,7 +332,19 @@
}
}
+ public static int getSanitizedPort(final URL u) {
+ if (u.getPort() < 0) {
+ return u.getDefaultPort();
+ }
+ return u.getPort();
+ }
+ public static int getPort(final URL url) {
+ return getSanitizedPort(url);
+ }
+ public static String getHostAndPort(final URL url) {
+ return url.getHost() + ":" + getSanitizedPort(url);
+ }
}
diff -r c98095a2fb46 -r 2682417d5671 plugin/icedteanp/java/sun/applet/PluginAppletViewer.java
--- a/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java Fri Oct 02 15:56:55 2015 +0200
+++ b/plugin/icedteanp/java/sun/applet/PluginAppletViewer.java Thu Oct 08 11:52:14 2015 +0200
@@ -113,6 +113,7 @@
import net.sourceforge.jnlp.splashscreen.SplashController;
import net.sourceforge.jnlp.splashscreen.SplashPanel;
import net.sourceforge.jnlp.splashscreen.SplashUtils;
+import net.sourceforge.jnlp.util.UrlUtils;
import net.sourceforge.jnlp.util.logging.OutputController;
import sun.awt.AppContext;
import sun.awt.SunToolkit;
@@ -887,7 +888,7 @@
public Applet getApplet(String name) {
name = name.toLowerCase();
SocketPermission panelSp =
- new SocketPermission(panel.getCodeBase().getHost(), "connect");
+ new SocketPermission(UrlUtils.getHostAndPort(panel.getCodeBase()), "connect");
synchronized(appletPanels) {
for (Enumeration<NetxPanel> e = appletPanels.elements(); e.hasMoreElements();) {
AppletPanel p = e.nextElement();
@@ -899,7 +900,7 @@
p.getDocumentBase().equals(panel.getDocumentBase())) {
SocketPermission sp =
- new SocketPermission(p.getCodeBase().getHost(), "connect");
+ new SocketPermission(UrlUtils.getHostAndPort(p.getCodeBase()), "connect");
if (panelSp.implies(sp)) {
return p.applet;
@@ -918,7 +919,7 @@
public Enumeration<Applet> getApplets() {
Vector<Applet> v = new Vector<Applet>();
SocketPermission panelSp =
- new SocketPermission(panel.getCodeBase().getHost(), "connect");
+ new SocketPermission(UrlUtils.getHostAndPort(panel.getCodeBase()), "connect");
synchronized(appletPanels) {
for (Enumeration<NetxPanel> e = appletPanels.elements(); e.hasMoreElements();) {
@@ -926,7 +927,7 @@
if (p.getDocumentBase().equals(panel.getDocumentBase())) {
SocketPermission sp =
- new SocketPermission(p.getCodeBase().getHost(), "connect");
+ new SocketPermission(UrlUtils.getHostAndPort(p.getCodeBase()), "connect");
if (panelSp.implies(sp)) {
v.addElement(p.applet);
}
diff -r c98095a2fb46 -r 2682417d5671 tests/netx/unit/net/sourceforge/jnlp/SecurityDescTest.java
--- a/tests/netx/unit/net/sourceforge/jnlp/SecurityDescTest.java Fri Oct 02 15:56:55 2015 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/SecurityDescTest.java Thu Oct 08 11:52:14 2015 +0200
@@ -48,7 +48,7 @@
public void testNotNullJnlpFile() throws Exception {
Throwable t = null;
try {
- new SecurityDesc(new DummyJNLPFile(), SecurityDesc.SANDBOX_PERMISSIONS, "hey!");
+ new SecurityDesc(new DummyJNLPFile(), SecurityDesc.SANDBOX_PERMISSIONS, null);
} catch (Exception ex) {
t = ex;
}
@@ -57,7 +57,7 @@
@Test(expected = NullPointerException.class)
public void testNullJnlpFile() throws Exception {
- new SecurityDesc(null, SecurityDesc.SANDBOX_PERMISSIONS, "hey!");
+ new SecurityDesc(null, SecurityDesc.SANDBOX_PERMISSIONS, null);
}
@Test
diff -r c98095a2fb46 -r 2682417d5671 tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java
--- a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Fri Oct 02 15:56:55 2015 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Thu Oct 08 11:52:14 2015 +0200
@@ -42,6 +42,7 @@
import static org.junit.Assert.assertTrue;
import java.io.File;
+import java.net.MalformedURLException;
import java.net.URL;
import net.sourceforge.jnlp.annotations.KnownToFail;
import org.junit.Assert;
@@ -325,5 +326,36 @@
Assert.assertFalse(UrlUtils.compareNullableStrings("BBB", "aaa", false));
}
+
+ @Test
+ public void sanitizePortTest() throws MalformedURLException {
+ Assert.assertEquals(0, UrlUtils.getSanitizedPort(new URL("http://aaa.cz:0")));
+ Assert.assertEquals(1, UrlUtils.getSanitizedPort(new URL("https://aaa.cz:1")));
+ Assert.assertEquals(100, UrlUtils.getSanitizedPort(new URL("ftp://aaa.cz:100")));
+ //Assert.assertEquals(1001, UrlUtils.getSanitizedPort(new URL("ssh://aaa.cz:1001"))); unknown protocol :(
+ //Assert.assertEquals(22, UrlUtils.getSanitizedPort(new URL("ssh://aaa.cz")));
+ Assert.assertEquals(80, UrlUtils.getSanitizedPort(new URL("http://aaa.cz")));
+ Assert.assertEquals(443, UrlUtils.getSanitizedPort(new URL("https://aaa.cz")));
+ Assert.assertEquals(21, UrlUtils.getSanitizedPort(new URL("ftp://aaa.cz")));
+
+ }
+
+ public void getPortTest() throws MalformedURLException {
+ Assert.assertEquals(1, UrlUtils.getPort(new URL("http://aa.bb:1")));
+ Assert.assertEquals(10, UrlUtils.getPort(new URL("http://aa.bb:10/aa")));
+ Assert.assertEquals(1000, UrlUtils.getPort(new URL("http://aa.bb:1000/aa.fs")));
+ Assert.assertEquals(443, UrlUtils.getPort(new URL("https://aa.bb/aa.fs")));
+ Assert.assertEquals(80, UrlUtils.getPort(new URL("http://aa.bb")));
+ Assert.assertEquals(80, UrlUtils.getPort(new URL("http://aa.bb:80/a/b/c")));
+ }
+
+ public void getHostAndPortTest() throws MalformedURLException {
+ Assert.assertEquals("aa.bb:2", UrlUtils.getHostAndPort(new URL("http://aa.bb:2")));
+ Assert.assertEquals("aa.bb:12", UrlUtils.getHostAndPort(new URL("http://aa.bb:12/aa")));
+ Assert.assertEquals("aa.bb:1002", UrlUtils.getHostAndPort(new URL("http://aa.bb:1002/aa.fs")));
+ Assert.assertEquals("aa.bb:443", UrlUtils.getHostAndPort(new URL("https://aa.bb/aa.fs")));
+ Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new URL("http://aa.bb")));
+ Assert.assertEquals("aa.bb:80", UrlUtils.getHostAndPort(new URL("http://aa.bb:80/a/b/c")));
+ }
}
diff -r c98095a2fb46 -r 2682417d5671 tests/reproducers/signed/SOPBypassSigned/srcs/SOPBypassSigned.java
--- a/tests/reproducers/signed/SOPBypassSigned/srcs/SOPBypassSigned.java Fri Oct 02 15:56:55 2015 +0200
+++ b/tests/reproducers/signed/SOPBypassSigned/srcs/SOPBypassSigned.java Thu Oct 08 11:52:14 2015 +0200
@@ -52,12 +52,14 @@
public class SOPBypassSigned extends Applet {
private String unrelatedUrl;
private String reachableResource;
+ private String resourcesUrl;
@Override
public void init(){
setUnrelatedUrl(this.getParameter("unrelatedUrl"));
setReachableResource(this.getParameter("reachableResource"));
+ setResourcesUrl(this.getParameter("resourceUrl"));
}
@Override
@@ -75,9 +77,11 @@
attemptSocketConnectionToCodebase();
attemptSocketConnectionToDocumentBase();
attemptSocketConnectionToUnrelated();
+ attemptSocketConnectionToResourcesLoc();
attemptUrlConnectionToCodebase();
attemptUrlConnectionToDocumentBase();
attemptUrlConnectionToUnrelated();
+ attemptUrlConnectionToResourcesLoc();
return true;
}
});
@@ -99,7 +103,7 @@
void attemptSocketConnectionToCodebase() {
String host = getCodeBase().getHost();
- int port = getCodeBase().getPort();;
+ int port = getCodeBase().getPort();
attemptSocketConnection(host, port, reachableResource, "codeBase", true);
}
@@ -118,6 +122,17 @@
}
attemptSocketConnection(host, port, reachableResource, "unrelated", true);
}
+
+ void attemptSocketConnectionToResourcesLoc() {
+ String host = getCodeBase().getHost();
+ int port = getCodeBase().getPort();
+ //if resources url was null, then it was probably from codebase
+ if (resourcesUrl != null){
+ host=extractHost(resourcesUrl);
+ port=extractPort(resourcesUrl);
+ }
+ attemptSocketConnection(host, port, reachableResource, "resource's", true);
+ }
More information about the distro-pkg-dev
mailing list