/hg/release/icedtea-web-1.6: 4 new changesets
jvanek at icedtea.classpath.org
jvanek at icedtea.classpath.org
Mon Sep 7 18:12:10 UTC 2015
changeset 0fabdba696d8 in /hg/release/icedtea-web-1.6
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.6?cmd=changeset;node=0fabdba696d8
author: Jiri Vanek <jvanek at redhat.com>
date: Mon Sep 07 17:35:05 2015 +0200
application-library-allowable-codebase dialog made available for unsigned apps
changeset 1edbea84a8b6 in /hg/release/icedtea-web-1.6
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.6?cmd=changeset;node=1edbea84a8b6
author: Jiri Vanek <jvanek at redhat.com>
date: Mon Sep 07 18:28:36 2015 +0200
Saving of status of dialogs for "whole codebase" now includes also document base
changeset f07fcd2a6a5e in /hg/release/icedtea-web-1.6
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.6?cmd=changeset;node=f07fcd2a6a5e
author: Jiri Vanek <jvanek at redhat.com>
date: Mon Sep 07 19:55:10 2015 +0200
Newline characters are banned from saving to .appletTrustSettings
Contains also
DummyJNLPFileWithJar enhanced to accept urls only, added test to UnsignedAppletTrustConfirmationTest
and
(DummyJNLPFileWithJar) fixed accidentall call to getParentFile
to make solid tests
Now
testReloadAfterStore
and
updateAppletActionTestYQN1234saveAndLoadFine
Fails, but hsould be fixed with
All UrlRegEx-es got unified and correct quoting
changeset f3a35ac8f513 in /hg/release/icedtea-web-1.6
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.6?cmd=changeset;node=f3a35ac8f513
author: Jiri Vanek <jvanek at redhat.com>
date: Mon Sep 07 20:11:55 2015 +0200
All UrlRegEx-es got unified and correct quoting
diffstat:
ChangeLog | 78 ++
netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletActionTableModel.java | 6 +-
netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java | 6 +-
netx/net/sourceforge/jnlp/resources/Messages.properties | 8 +-
netx/net/sourceforge/jnlp/resources/Messages_cs.properties | 4 +-
netx/net/sourceforge/jnlp/resources/Messages_de.properties | 6 +-
netx/net/sourceforge/jnlp/resources/Messages_pl.properties | 4 +-
netx/net/sourceforge/jnlp/runtime/HtmlBoot.java | 2 +-
netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java | 56 +-
netx/net/sourceforge/jnlp/runtime/html/AppletExtractor.java | 17 +-
netx/net/sourceforge/jnlp/security/appletextendedsecurity/InvalidLineException.java | 47 +
netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java | 12 +-
netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java | 51 +-
netx/net/sourceforge/jnlp/security/appletextendedsecurity/UrlRegEx.java | 77 ++-
netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageExtendedImpl.java | 4 +-
netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java | 46 +-
tests/netx/unit/net/sourceforge/jnlp/runtime/ManifestAttributesCheckerTest.java | 65 ++
tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmationTest.java | 301 +++++++++-
tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UrlRegExTest.java | 184 ++++++
tests/reproducers/simple/FakeCodebase/resources/FakeCodebase.html.in | 44 +
tests/reproducers/simple/FakeCodebase/resources/FakeCodebase.jnlp.in | 14 +
tests/reproducers/simple/FakeCodebase/resources/OriginalCodebase.html | 44 +
tests/reproducers/simple/FakeCodebase/resources/OriginalCodebase.jnlp | 14 +
tests/reproducers/simple/FakeCodebase/srcs/FakeCodebase.java | 55 +
tests/reproducers/simple/FakeCodebase/testcases/FakeCodebaseTests.java | 165 +++++
tests/reproducers/simple/UnicodeLineBreak/resources/UnicodeLineBreak.html | 44 +
tests/reproducers/simple/UnicodeLineBreak/srcs/UnicodeLineBreak.java | 47 +
tests/reproducers/simple/UnicodeLineBreak/testcases/UnicodeLineBreakTests.java | 116 +++
tests/test-extensions/net/sourceforge/jnlp/mock/DummyJNLPFileWithJar.java | 37 +-
29 files changed, 1472 insertions(+), 82 deletions(-)
diffs (truncated from 1944 to 500 lines):
diff -r bf0ba14741fb -r f3a35ac8f513 ChangeLog
--- a/ChangeLog Tue Sep 01 10:15:51 2015 -0400
+++ b/ChangeLog Mon Sep 07 20:11:55 2015 +0200
@@ -1,3 +1,81 @@
+2015-09-02 Jiri Vanek <jvanek at redhat.com>
+
+ All UrlRegEx-es got unified and correct quoting
+ * netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletActionTableModel.java:
+ (addRow) now uses factory methods of quoteAndStar form UrlRegEx
+ * netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java:
+ same, but of exact. Removed redundant space in APPEXTSECguiPanelTableInvalid key
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java:
+ same of exact.
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java:
+ same
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageExtendedImpl.java:
+ same
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java:
+ same
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UrlRegEx.java:
+ constructor made private, field final. Creation allowed over factory methods of
+ quote. quoteAndStar, exact. Added and iprved mehtods for visualisation
+ * tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UrlRegExTest.java:
+ new test file with tests to new methods in UrlRegex
+
+2015-09-02 Jiri Vanek <jvanek at redhat.com>
+
+ Newline characters are banned from saving to .appletTrustSettings
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/InvalidLineException.java:
+ New file. Exception to be specially handled if error appear in saved line.
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java:
+ (serializeToReadableAndParseableString) if new-line appear in line,
+ InvalidLineException is thrown
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java:
+ (writeContent) InvalidLineException is expected and logged.
+ * tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmationTest.java:
+ adapted and quite a lot of tests added.
+ * tests/reproducers/simple/UnicodeLineBreak/resources/UnicodeLineBreak.java:
+ * tests/reproducers/simple/UnicodeLineBreak/srcs/UnicodeLineBreak.java:
+ * tests/reproducers/simple/UnicodeLineBreak/testcases/UnicodeLineBreakTests.java:
+ half automated reproducer of this behavior
+ * netx/net/sourceforge/jnlp/runtime/HtmlBoot.java: based on existence of -xml,
+ now can turn off tagsoup
+ * netx/net/sourceforge/jnlp/runtime/html/AppletExtractor.java: is passing
+ parsersettings to HtmlBoot
+
+
+2015-09-01 Jiri Vanek <jvanek at redhat.com>
+
+ Saving of status of dialogs for "whole codebase" now includes also document base
+ * netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java:
+ (updateAppletAction) now saves base of docbase instead of .* "for remember for codebase"
+ stripFile - new method, ensuring docbase do not contains file
+ * tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmationTest.java:
+ added testSripFile unit test for new method
+ * tests/reproducers/simple/FakeCodebase/resources/FakeCodebase.html.in:
+ * tests/reproducers/simple/FakeCodebase/resources/FakeCodebase.jnlp.in:
+ * tests/reproducers/simple/FakeCodebase/resources/OriginalCodebase.html:
+ * tests/reproducers/simple/FakeCodebase/resources/OriginalCodebase.jnlp:
+ * tests/reproducers/simple/FakeCodebase/srcs/FakeCodebase.java:
+ * tests/reproducers/simple/FakeCodebase/testcases/FakeCodebaseTests.java:
+ Reproducer of this behavior
+
+2015-09-01 Jiri Vanek <jvanek at redhat.com>
+
+ application-library-allowable-codebase dialog made available for unsigned apps
+ * netx/net/sourceforge/jnlp/resources/Messages.properties: (ALACAMissingMainTitle)
+ added warning about possible consequences of resources out of docbase.
+ (ALACAMatchingMainTitle) the red higlights changed to green and added calming
+ words about it.
+ * netx/net/sourceforge/jnlp/resources/Messages_cs.properties: same
+ * netx/net/sourceforge/jnlp/resources/Messages_de.properties: same
+ * netx/net/sourceforge/jnlp/resources/Messages_pl.properties: adapted to red
+ to green recoloring
+ * netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java:
+ (checkApplicationLibraryAllowableCodebaseAttribute) removed return for in case
+ of unsigned app. Fixed check for all matching resources against codebase and docbase
+ If app is unsigned, then value in manifest is ignored. Missing alaca required
+ also in low security mode
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/ManifestAttributesCheckerTest.java:
+ new file to test stripDocbase.
+
2015-09-01 Andrew Azores <aazores at redhat.com>
Add -defaultfile switch to PolicyEditor
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletActionTableModel.java
--- a/netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletActionTableModel.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletActionTableModel.java Mon Sep 07 20:11:55 2015 +0200
@@ -148,12 +148,12 @@
public void addRow() {
int i = getRowCount()-1;
- String s = "\\Qhttp://localhost:80/\\E.*";
+ String s = "http://localhost:80/";
back.add(new UnsignedAppletActionEntry(
AppletSecurityActions.createDefault(),
new Date(),
- new UrlRegEx(s),
- new UrlRegEx(s),
+ UrlRegEx.quoteAndStar(s),
+ UrlRegEx.quoteAndStar(s),
null));
fireTableRowsInserted(i+1, i+1);
}
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java
--- a/netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/controlpanel/UnsignedAppletsTrustingListPanel.java Mon Sep 07 20:11:55 2015 +0200
@@ -628,7 +628,7 @@
JOptionPane.showMessageDialog(this, Translator.R("APPEXTSECguiPanelTableValid"));
} catch (Exception ex) {
OutputController.getLogger().log(OutputController.Level.ERROR_ALL, ex);
- JOptionPane.showMessageDialog(this, Translator.R("APPEXTSECguiPanelTableInvalid ", ex.toString()));
+ JOptionPane.showMessageDialog(this, Translator.R("APPEXTSECguiPanelTableInvalid", ex.toString()));
} finally {
f.delete();
}
@@ -823,7 +823,7 @@
private MyTextField(UrlRegEx urlRegEx) {
if (urlRegEx == null) {
- keeper = new UrlRegEx("");
+ keeper = UrlRegEx.exact("");
} else {
this.keeper = urlRegEx;
}
@@ -842,7 +842,7 @@
private UrlRegexCellRenderer(UrlRegEx urlRegEx) {
if (urlRegEx == null) {
- keeper = new UrlRegEx("");
+ keeper = UrlRegEx.exact("");
} else {
this.keeper = urlRegEx;
}
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/resources/Messages.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Mon Sep 07 20:11:55 2015 +0200
@@ -80,7 +80,7 @@
ALACAMissingMainTitle=The application <span color=''red''> {0} </span> \
from <span color=''red''> {1} </span> uses resources from the following remote locations: \
{2} \
-Are you sure you want to run this application?
+Be very careful when application is loading from different space then you expect. Are you sure you want to run this application?
ALACAMissingInfo=For more information see:<br/>\
<a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library"> \
JAR File Manifest Attributes</a> <br/> \
@@ -88,9 +88,9 @@
Preventing the Repurposing of an Application</a>
# matching Application-Library-Allowable-Codebase dialogue
-ALACAMatchingMainTitle=The application <span color=''red''> {0} </span> \
-from <span color=''red''> {1} </span> uses resources from the following remote locations:<br/>{2} <br/> \
-Are you sure you want to run this application?
+ALACAMatchingMainTitle=The application <span color=''green''> {0} </span> \
+from <span color=''green''> {1} </span> uses resources from the following remote locations:<br/>{2} <br/> \
+They looks ok. Are you sure you want to run this application?
ALACAMatchingInfo=For more information you can visit:<br/>\
<a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library"> \
JAR File Manifest Attributes</a> <br/> \
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/resources/Messages_cs.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages_cs.properties Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/resources/Messages_cs.properties Mon Sep 07 20:11:55 2015 +0200
@@ -71,11 +71,11 @@
MissingPermissionsInfo=Chcete-li z\u00edskat v\u00edce informac\u00ed, nav\u0161tivte n\u00e1sleduj\u00edc\u00ed weby:<br/><a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions"> JAR File Manifest Attributes</a> <br/> a <br/> <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html"> Preventing the repurposing of Applications</a>.
# missing Application-Library-Allowable-Codebase dialogue
-ALACAMissingMainTitle=Aplikace <span color="red"> {0} </span> z <span color="red"> {1} </span> pou\u017e\u00edv\u00e1 zdroje z n\u00e1sleduj\u00edc\u00edch vzd\u00e1len\u00fdch um\u00edst\u011bn\u00ed:{2}. Ur\u010dit\u011b chcete spustit tuto aplikaci?
+ALACAMissingMainTitle=Aplikace <span color="red"> {0} </span> z <span color="red"> {1} </span> pou\u017e\u00edv\u00e1 zdroje z n\u00e1sleduj\u00edc\u00edch vzd\u00e1len\u00fdch um\u00edst\u011bn\u00ed:{2}. Bu\u010fte velmi opatrn\u00ed pokud jde o k\u00f3d z neo\u010dek\u00e1van destinace. Ur\u010dit\u011b chcete spustit tuto aplikaci?
ALACAMissingInfo=Chcete-li z\u00edskat v\u00edce informac\u00ed, nav\u0161tivte n\u00e1sleduj\u00edc\u00ed weby:<br/><a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library"> JAR File Manifest Attributes</a> <br/> a <br/> <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html"> Preventing the Repurposing of an Applications</a>.
# matching Application-Library-Allowable-Codebase dialogue
-ALACAMatchingMainTitle=Aplikace <span color="red"> {0} </span> z <span color="red"> {1} </span> pou\u017e\u00edv\u00e1 zdroje z n\u00e1sleduj\u00edc\u00edch vzd\u00e1len\u00fdch um\u00edst\u011bn\u00ed:<br/>{2}.<br/> Ur\u010dit\u011b chcete spustit tuto aplikaci?
+ALACAMatchingMainTitle=Aplikace <span color="green"> {0} </span> z <span color="green"> {1} </span> pou\u017e\u00edv\u00e1 zdroje z n\u00e1sleduj\u00edc\u00edch vzd\u00e1len\u00fdch um\u00edst\u011bn\u00ed:<br/>{2}.<br/> Zdroje se zdaj\u00ed v po\u0159\u00e1dku. Chcete spustit tuto aplikaci?
ALACAMatchingInfo=Chcete-li z\u00edskat v\u00edce informac\u00ed, nav\u0161tivte n\u00e1sleduj\u00edc\u00ed weby:<br/><a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library"> JAR File Manifest Attributes</a> <br/> a <br/> <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html"> Preventing the repurposing of Applications</a>
MACDisabledMessage=Kontroly atribut\u016f v manifestu jsou vypnut\u00e9.
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/resources/Messages_de.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages_de.properties Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/resources/Messages_de.properties Mon Sep 07 20:11:55 2015 +0200
@@ -75,10 +75,10 @@
Preventing the Repurposing of an Application</a>
# matching Application-Library-Allowable-Codebase dialogue
-ALACAMatchingMainTitle=Die Anwendung \u201e<span color=\"red\">{0}</span>\u201c \
-mit der Codebasis \u201e<span color="red">{1}</span>\u201c l\u00e4dt die folgenden Ressourcen von einer fremden Dom\u00e4ne:<br/>\
+ALACAMatchingMainTitle=Die Anwendung \u201e<span color=\"green\">{0}</span>\u201c \
+mit der Codebasis \u201e<span color="green">{1}</span>\u201c l\u00e4dt die folgenden Ressourcen von einer fremden Dom\u00e4ne:<br/>\
{2}<br/>\
-Soll diese Anwendung wirklich ausgef\u00fchrt werden?
+Es ist richtig. Soll diese Anwendung wirklich ausgef\u00fchrt werden?
ALACAMatchingInfo=Um weitere Informationen zu erhalten siehe:<br/>\
<a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#app_library">\
JAR File Manifest Attributes</a><br/>\
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/resources/Messages_pl.properties
--- a/netx/net/sourceforge/jnlp/resources/Messages_pl.properties Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/resources/Messages_pl.properties Mon Sep 07 20:11:55 2015 +0200
@@ -74,8 +74,8 @@
Preventing the Repurposing of an Application</a>
# matching Application-Library-Allowable-Codebase dialogue
-ALACAMatchingMainTitle=Aplikacja \u201e<span color="red">{0}</span>\u201d \
-z \u201e<span color="red">{1}</span>\u201d pobiera zasoby z nast\u0119puj\u0105cych obcych lokalizacji:<br/>\
+ALACAMatchingMainTitle=Aplikacja \u201e<span color="green">{0}</span>\u201d \
+z \u201e<span color="green">{1}</span>\u201d pobiera zasoby z nast\u0119puj\u0105cych obcych lokalizacji:<br/>\
{2}<br/>\
Czy na pewno chcesz uruchomi\u0107 t\u0105 aplikacj\u0119?
ALACAMatchingInfo=Wi\u0119cej informacji uzyskasz na:<br/>\
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/runtime/HtmlBoot.java
--- a/netx/net/sourceforge/jnlp/runtime/HtmlBoot.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/HtmlBoot.java Mon Sep 07 20:11:55 2015 +0200
@@ -132,7 +132,7 @@
try {
OutputController.getLogger().log("Proceeding with html");
final URL html = Boot.getFileLocation();
- AppletExtractor axe = new AppletExtractor(html);
+ AppletExtractor axe = new AppletExtractor(html, settings);
AppletsFilter filtered = new AppletsFilter(axe.findAppletsOnPage(), html, vars.subList(1, vars.size()));
List<AppletParser> applets = filtered.getApplets();
// this hack was needed in early phases of the patch. Now it sees to be not neede. Keeping inside to remove after much more testing
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
--- a/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java Mon Sep 07 20:11:55 2015 +0200
@@ -36,6 +36,7 @@
*/
package net.sourceforge.jnlp.runtime;
+import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashSet;
@@ -332,9 +333,6 @@
}
private void checkApplicationLibraryAllowableCodebaseAttribute() throws LaunchException {
- if (signing == SigningState.NONE) {
- return; /*when app is not signed at all, then skip this check*/
- }
//conditions
URL codebase = file.getCodeBase();
URL documentBase = null;
@@ -386,18 +384,30 @@
return;
}
- if (usedUrls.size() == 1) {
- if (UrlUtils.equalsIgnoreLastSlash(usedUrls.toArray(new URL[0])[0], codebase)
- && UrlUtils.equalsIgnoreLastSlash(usedUrls.toArray(new URL[0])[0], documentBase)) {
- //all resoources are from codebase or document base. it is ok to proceeed.
- OutputController.getLogger().log("All applications resources (" + usedUrls.toArray(new URL[0])[0] + ") are from codebas/documentbase " + codebase + "/" + documentBase + ", skipping Application-Library-Allowable-Codebase Attribute check.");
- return;
+ boolean allOk = true;
+ for (URL u : usedUrls) {
+ if (UrlUtils.equalsIgnoreLastSlash(u, codebase)
+ && UrlUtils.equalsIgnoreLastSlash(u, stripDocbase(documentBase))) {
+ OutputController.getLogger().log("OK - "+u.toExternalForm()+" is from codebase/docbase.");
+ } else {
+ allOk = false;
+ OutputController.getLogger().log("Warning! "+u.toExternalForm()+" is NOT from codebase/docbase.");
}
}
-
- ClasspathMatchers att = file.getManifestsAttributes().getApplicationLibraryAllowableCodebase();
+ if (allOk) {
+ //all resoources are from codebase or document base. it is ok to proceeed.
+ OutputController.getLogger().log("All applications resources (" + usedUrls.toArray(new URL[0])[0] + ") are from codebas/documentbase " + codebase + "/" + documentBase + ", skipping Application-Library-Allowable-Codebase Attribute check.");
+ return;
+ }
+
+ ClasspathMatchers att = null;
+ if (signing == SigningState.NONE) {
+ //for unsigned app we are ignoring value in manifesdt (may be faked)
+ } else {
+ att = file.getManifestsAttributes().getApplicationLibraryAllowableCodebase();
+ }
if (att == null) {
- final boolean userApproved = isLowSecurity() || SecurityDialogs.showMissingALACAttributePanel(file.getTitle(), documentBase, usedUrls);
+ final boolean userApproved = SecurityDialogs.showMissingALACAttributePanel(file.getTitle(), documentBase, usedUrls);
if (!userApproved) {
throw new LaunchException("The application uses non-codebase resources, has no Application-Library-Allowable-Codebase Attribute, and was blocked from running by the user");
} else {
@@ -420,4 +430,26 @@
OutputController.getLogger().log("The application uses non-codebase resources, which do match its Application-Library-Allowable-Codebase Attribute, and was allowed to run by the user or user's security settings.");
}
}
+
+ //package private for testing
+ //not perfect but ok for usecase
+ static URL stripDocbase(URL documentBase) {
+ String s = documentBase.toExternalForm();
+ if (s.endsWith("/") || s.endsWith("\\")) {
+ return documentBase;
+ }
+ int i1 = s.lastIndexOf("/");
+ int i2 = s.lastIndexOf("\\");
+ int i = Math.max(i1, i2);
+ if (i <= 8 || i >= s.length()) {
+ return documentBase;
+ }
+ s = s.substring(0, i+1);
+ try {
+ documentBase = new URL(s);
+ } catch (MalformedURLException ex) {
+ OutputController.getLogger().log(ex);
+ }
+ return documentBase;
+ }
}
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/runtime/html/AppletExtractor.java
--- a/netx/net/sourceforge/jnlp/runtime/html/AppletExtractor.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/html/AppletExtractor.java Mon Sep 07 20:11:55 2015 +0200
@@ -45,7 +45,9 @@
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import net.sourceforge.jnlp.JNLPFile;
+import net.sourceforge.jnlp.OptionsDefinitions;
import net.sourceforge.jnlp.Parser;
+import net.sourceforge.jnlp.ParserSettings;
import net.sourceforge.jnlp.cache.UpdatePolicy;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
import net.sourceforge.jnlp.util.logging.OutputController;
@@ -68,10 +70,15 @@
"applet", "APPLET", "Applet",
"object", "OBJECT", "Object",
"embed", "EMBED", "Embed"};
+ private final ParserSettings ps;
public AppletExtractor(URL html) {
+ this(html, null);
+ }
+ public AppletExtractor(URL html, ParserSettings ps) {
JNLPRuntime.saveHistory(html.toExternalForm());
this.html = html;
+ this.ps = ps;
}
public URL getHtml() {
@@ -80,9 +87,13 @@
private InputStream cleanStreamIfPossible(InputStream is) {
try {
- Class<?> klass = Class.forName(Parser.MALFORMED_PARSER_CLASS);
- Method m = klass.getMethod("xmlizeInputStream", InputStream.class);
- return (InputStream) m.invoke(null, is);
+ if (ps != null && ps.isMalformedXmlAllowed()){
+ Class<?> klass = Class.forName(Parser.MALFORMED_PARSER_CLASS);
+ Method m = klass.getMethod("xmlizeInputStream", InputStream.class);
+ return (InputStream) m.invoke(null, is);
+ } else {
+ OutputController.getLogger().log(OutputController.Level.WARNING_DEBUG, "Tagsoup's html2xml cleaning is Disabled. Remove "+OptionsDefinitions.OPTIONS.XML.option+". Parsing will probably fail.");
+ }
} catch (Exception ex) {
OutputController.getLogger().log(OutputController.Level.WARNING_DEBUG, "Tagsoup's html2xml cleaning not loaded. Install tagsoup. Parsing will probably fail.");
OutputController.getLogger().log(ex);
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/security/appletextendedsecurity/InvalidLineException.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/security/appletextendedsecurity/InvalidLineException.java Mon Sep 07 20:11:55 2015 +0200
@@ -0,0 +1,47 @@
+/*
+ Copyright (C) 2015 Red Hat, Inc.
+
+ This file is part of IcedTea.
+
+ IcedTea is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, version 2.
+
+ IcedTea is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with IcedTea; see the file COPYING. If not, write to
+ the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA.
+
+ Linking this library statically or dynamically with other modules is
+ making a combined work based on this library. Thus, the terms and
+ conditions of the GNU General Public License cover the whole
+ combination.
+
+ As a special exception, the copyright holders of this library give you
+ permission to link this library with independent modules to produce an
+ executable, regardless of the license terms of these independent
+ modules, and to copy and distribute the resulting executable under
+ terms of your choice, provided that you also meet, for each linked
+ independent module, the terms and conditions of the license of that
+ module. An independent module is a module which is not derived from
+ or based on this library. If you modify this library, you may extend
+ this exception to your version of the library, but you are not
+ obligated to do so. If you do not wish to do so, delete this
+ exception statement from your version.
+ */
+
+package net.sourceforge.jnlp.security.appletextendedsecurity;
+
+
+public class InvalidLineException extends RuntimeException {
+
+ public InvalidLineException(String s) {
+ super(s);
+ }
+
+}
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java
--- a/netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletActionEntry.java Mon Sep 07 20:11:55 2015 +0200
@@ -61,11 +61,11 @@
UnsignedAppletActionEntry nw = new UnsignedAppletActionEntry(
AppletSecurityActions.fromString(split[0]),
new Date(new Long(split[1])),
- new UrlRegEx(split[2]),
+ UrlRegEx.exact(split[2]),
null,
null);
if (split.length > 3) {
- nw.setCodeBase(new UrlRegEx(split[3]));
+ nw.setCodeBase(UrlRegEx.exact(split[3]));
}
if (split.length > 4) {
nw.setArchives(createArchivesList(s.substring(s.lastIndexOf(split[3]) + split[3].length()).trim()));
@@ -92,12 +92,16 @@
bw.write(this.serializeToReadableAndParseableString());
}
- private String serializeToReadableAndParseableString() {
- return appletSecurityActions.toString()
+ private String serializeToReadableAndParseableString() throws InvalidLineException {
+ String s = appletSecurityActions.toString()
+ " " + ((timeStamp == null) ? "1" : timeStamp.getTime())
+ " " + ((documentBase == null) ? "" : documentBase.getRegEx())
+ " " + ((codeBase == null) ? "" : codeBase.getRegEx())
+ " " + createArchivesString(archives);
+ if (s.contains("\n") || s.contains("\r") || s.contains("\f")){
+ throw new InvalidLineException("Cant write line with \\n, \\r or \\f");
+ }
+ return s;
}
public Date getTimeStamp() {
diff -r bf0ba14741fb -r f3a35ac8f513 netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java
--- a/netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java Tue Sep 01 10:15:51 2015 -0400
+++ b/netx/net/sourceforge/jnlp/security/appletextendedsecurity/UnsignedAppletTrustConfirmation.java Mon Sep 07 20:11:55 2015 +0200
@@ -36,6 +36,7 @@
package net.sourceforge.jnlp.security.appletextendedsecurity;
+import java.net.MalformedURLException;
import static net.sourceforge.jnlp.runtime.Translator.R;
import java.net.URL;
@@ -138,12 +139,12 @@
URL documentbase = UrlUtils.normalizeUrlAndStripParams(file.getSourceLocation(), true /* encode local files */);
/* Else, create a new entry */
- UrlRegEx codebaseRegex = new UrlRegEx("\\Q" + codebase + "\\E");
- UrlRegEx documentbaseRegex = new UrlRegEx(".*"); // Match any from codebase
+ UrlRegEx codebaseRegex = UrlRegEx.quote(codebase.toExternalForm());
+ UrlRegEx documentbaseRegex = UrlRegEx.quoteAndStar(stripFile(documentbase)); // Match any from codebase and sourceFile "base"
List<String> archiveMatches = null; // Match any from codebase
if (!rememberForCodeBase) {
- documentbaseRegex = new UrlRegEx("\\Q" + documentbase + "\\E"); // Match only this applet
+ documentbaseRegex = UrlRegEx.quote(documentbase.toExternalForm()); // Match only this applet
archiveMatches = toRelativePaths(getJars(file), file.getCodeBase().toString()); // Match only this applet
}
@@ -277,4 +278,48 @@
}
+ static String stripFile(URL documentbase) {
+ //whenused in generation of regec, the trailing slash is very important
+ //see the result between http:/some.url/path.* and http:/some.url/path/.*
+ return ensureSlashTail(stripFileImp(documentbase));
+ }
+
+ private static String stripFileImp(URL documentbase) {
+ try {
+ String normlaized = UrlUtils.normalizeUrlAndStripParams(documentbase).toExternalForm().trim();
+ if (normlaized.endsWith("/") || normlaized.endsWith("\\")) {
+ return normlaized;
+ }
+ URL middleway = new URL(normlaized);
+ String file = middleway.getFile();
+ int i = Math.max(file.lastIndexOf('/'), file.lastIndexOf('\\'));
+ if (i<0){
+ return normlaized;
+ }
+ String parent = file.substring(0, i+1);
+ String stripped = normlaized.replace(file, parent);
+ return stripped;
+ } catch (Exception ex) {
+ OutputController.getLogger().log(ex);
+ return documentbase.toExternalForm();
+ }
+
+ }
+
+ private static String ensureSlashTail(String s) {
More information about the distro-pkg-dev
mailing list