[rfc][icedtea-web] Fixing PR722: unsigned entries should be ignored in META-INF/
Deepak Bhole
dbhole at redhat.com
Tue Jun 12 09:52:45 PDT 2012
* Adam Domurad <adomurad at redhat.com> [2012-06-12 12:43]:
> So afaik the consensus is that this doesn't cause security problems, and
> is the behaviour of Oracle's plugin, thus here is a simple patch. I have
> done some testing with dropping unsigned files into the META-INF/, and
> everything seems to be in working order.
>
Does this also prompt the user to make sure they agree to allowing it?
Deepak
> ChangeLog:
> 2012-06-12 Adam Domurad <adomurad at redhat.com>
>
> Fixes PR722, javaws failing to run with unsigned content in META-INF/
> * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: Changed
> isSignatureRelated => isMetaInfFile. Now all files under META-INF/ are
> disregarded in checking the jar signage.
> diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> --- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> +++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
> @@ -277,7 +277,7 @@ public class JarCertVerifier implements
> anySigned |= isSigned;
>
> boolean shouldHaveSignature = !je.isDirectory()
> - && !signatureRelated(name);
> + && !isMetaInfFile(name);
>
> hasUnsignedEntry |= shouldHaveSignature && !isSigned;
>
> @@ -438,32 +438,18 @@ public class JarCertVerifier implements
> }
>
> /**
> - * signature-related files include:
> + * Returns whether a file is in META-INF, and thus does not require signing.
> + *
> + * Signature-related files under META-INF include:
> * . META-INF/MANIFEST.MF
> * . META-INF/SIG-*
> * . META-INF/*.SF
> * . META-INF/*.DSA
> * . META-INF/*.RSA
> - *
> - * Required for verifyJar()
> */
> - private boolean signatureRelated(String name) {
> + static private boolean isMetaInfFile(String name) {
> String ucName = name.toUpperCase();
> - if (ucName.equals(JarFile.MANIFEST_NAME) ||
> - ucName.equals(META_INF) ||
> - (ucName.startsWith(SIG_PREFIX) &&
> - ucName.indexOf("/") == ucName.lastIndexOf("/"))) {
> - return true;
> - }
> -
> - if (ucName.startsWith(META_INF) &&
> - SignatureFileVerifier.isBlockOrSF(ucName)) {
> - // .SF/.DSA/.RSA files in META-INF subdirs
> - // are not considered signature-related
> - return (ucName.indexOf("/") == ucName.lastIndexOf("/"));
> - }
> -
> - return false;
> + return ucName.startsWith(META_INF);
> }
>
> /**
More information about the distro-pkg-dev
mailing list