# HG changeset patch
# User Jiri Vanek <jvanek@redhat.com>
# Date 1365675744 -7200
# Node ID 34b6f60ae586cd8349a650385134fe6425a1466b
# Parent  45a5c6e2e36843736eda71c4e524dec9a0db24e1
Fixed CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.

diff -r 45a5c6e2e368 -r 34b6f60ae586 ChangeLog
--- a/ChangeLog	Wed Apr 10 18:31:18 2013 +0200
+++ b/ChangeLog	Thu Apr 11 12:22:24 2013 +0200
@@ -1,3 +1,10 @@
+2013-04-11 Adam Domurad  <adomurad@redhat.com>
+
+	CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with
+	same relative-path.
+	* netx/net/sourceforge/jnlp/NetxPanel.java: (NetxPanel) Construct
+	unique-key with absolute path
+
 2013-04-10  Jiri Vanek <jvanek@redhat.com>
 
 	Fixed gifar vulnereability with automated testcase
diff -r 45a5c6e2e368 -r 34b6f60ae586 NEWS
--- a/NEWS	Wed Apr 10 18:31:18 2013 +0200
+++ b/NEWS	Thu Apr 11 12:22:24 2013 +0200
@@ -11,6 +11,7 @@
 New in release 1.2.3 (2013-04-17):
 * Security Updates
   - CVE-2013-1927, RH884705 - fixed gifar vulnerability
+  - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
 * Common
   - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
 * Plugin
diff -r 45a5c6e2e368 -r 34b6f60ae586 netx/net/sourceforge/jnlp/NetxPanel.java
--- a/netx/net/sourceforge/jnlp/NetxPanel.java	Wed Apr 10 18:31:18 2013 +0200
+++ b/netx/net/sourceforge/jnlp/NetxPanel.java	Thu Apr 11 12:22:24 2013 +0200
@@ -77,11 +77,6 @@
          * bad tag cannot trick the loader into getting shared with another.
          */
 
-        // Firefox sometimes skips the codebase if it is default  -- ".", 
-        // so set it that way if absent
-        String codebaseAttr =      atts.get("codebase") != null ?
-                                   atts.get("codebase") : ".";
-
         String cache_archiveAttr = atts.get("cache_archive") != null ? 
                                    atts.get("cache_archive") : "";
 
@@ -91,7 +86,7 @@
         String archiveAttr =       atts.get("archive") != null ? 
                                    atts.get("archive") : "";
 
-        this.uKey = "codebase=" + codebaseAttr +
+        this.uKey = "codebase=" + getCodeBase().toExternalForm() +
                     "cache_archive=" + cache_archiveAttr + 
                     "java_archive=" + java_archiveAttr + 
                     "archive=" +  archiveAttr;