# HG changeset patch
# User Jiri Vanek <jvanek@redhat.com>
# Date 1365676187 -7200
# Node ID 25dd7c7ac39cdb39d96d920d6cb92ba6f7c8786a
# Parent  c8544250d5b28534f60f577b84f5ed036174cecb
Fixed CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.

diff -r c8544250d5b2 -r 25dd7c7ac39c ChangeLog
--- a/ChangeLog	Wed Apr 10 18:31:56 2013 +0200
+++ b/ChangeLog	Thu Apr 11 12:29:47 2013 +0200
@@ -1,3 +1,10 @@
+2013-04-11 Adam Domurad  <adomurad@redhat.com>
+
+	CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with
+	same relative-path.
+	* netx/net/sourceforge/jnlp/NetxPanel.java: (NetxPanel) Construct
+	unique-key with absolute path
+
 2013-04-10  Jiri Vanek <jvanek@redhat.com>
 
 	Fixed gifar vulnereability with automated testcase
diff -r c8544250d5b2 -r 25dd7c7ac39c NEWS
--- a/NEWS	Wed Apr 10 18:31:56 2013 +0200
+++ b/NEWS	Thu Apr 11 12:29:47 2013 +0200
@@ -10,7 +10,8 @@
 
 New in release 1.3.2 (2013-04-17):
 * Security Updates
-  - CVE-2013-1927, RH884705 - fixed gifar vulnerability
+  - CVE-2013-1927, RH884705: fixed gifar vulnerability
+  - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
 * Common
   - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized.
 * Plugin
diff -r c8544250d5b2 -r 25dd7c7ac39c netx/net/sourceforge/jnlp/NetxPanel.java
--- a/netx/net/sourceforge/jnlp/NetxPanel.java	Wed Apr 10 18:31:56 2013 +0200
+++ b/netx/net/sourceforge/jnlp/NetxPanel.java	Thu Apr 11 12:29:47 2013 +0200
@@ -77,11 +77,6 @@
          * bad tag cannot trick the loader into getting shared with another.
          */
 
-        // Firefox sometimes skips the codebase if it is default  -- ".", 
-        // so set it that way if absent
-        String codebaseAttr =      atts.get("codebase") != null ?
-                                   atts.get("codebase") : ".";
-
         String cache_archiveAttr = atts.get("cache_archive") != null ? 
                                    atts.get("cache_archive") : "";
 
@@ -91,7 +86,7 @@
         String archiveAttr =       atts.get("archive") != null ? 
                                    atts.get("archive") : "";
 
-        this.uKey = "codebase=" + codebaseAttr +
+        this.uKey = "codebase=" + getCodeBase().toExternalForm() +
                     "cache_archive=" + cache_archiveAttr + 
                     "java_archive=" + java_archiveAttr + 
                     "archive=" +  archiveAttr;