# HG changeset patch # User Adam Domurad # Date 1370635513 14400 # Node ID adaba1e22d66a705d3bf3c733ecbf7a3d856f9c3 # Parent f9a77057c5244f634f4cf58ea1f989a1b7399b92 Fix PR1465 - java.io.FileNotFoundException while trying to download a JAR file diff -r f9a77057c524 -r adaba1e22d66 ChangeLog --- a/ChangeLog Thu Jun 06 17:08:19 2013 +0200 +++ b/ChangeLog Fri Jun 07 16:05:13 2013 -0400 @@ -1,3 +1,16 @@ +2013-06-07 Adam Domurad + + Fix PR1465 + * NEWS: Bug fix note + * netx/net/sourceforge/jnlp/util/UrlUtils.java + (isValidRFC2396Url): New, tests if valid URL by RFC2396 rules + (normalizeUrl): Don't normalize if valid by RFC2396 + * tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java: + Adapt which URLs we expect to change when normalizing URLs + * tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java: + (testIsValidRFC2396Url): New, tests isValidRFC2396Url + (testNormalizeUrl): Add new test with valid RFC2396 URL + 2013-06-06 Jiri Vanek Made all tests running wit junit4.10 and higher diff -r f9a77057c524 -r adaba1e22d66 NEWS --- a/NEWS Thu Jun 06 17:08:19 2013 +0200 +++ b/NEWS Fri Jun 07 16:05:13 2013 -0400 @@ -9,6 +9,8 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY New in release 1.4.1 (2013-XX-YY): +* NetX + - PR1465 - java.io.FileNotFoundException while trying to download a JAR file * Plugin - PR854: Resizing an applet several times causes 100% CPU load diff -r f9a77057c524 -r adaba1e22d66 netx/net/sourceforge/jnlp/util/UrlUtils.java --- a/netx/net/sourceforge/jnlp/util/UrlUtils.java Thu Jun 06 17:08:19 2013 +0200 +++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java Fri Jun 07 16:05:13 2013 -0400 @@ -86,16 +86,29 @@ } } + /* Use the URI syntax check of 'toURI' to see if it matches RFC2396. + * See http://www.ietf.org/rfc/rfc2396.txt */ + public static boolean isValidRFC2396Url(URL url) { + try { + url.toURI(); + return true; + } catch (URISyntaxException e) { + return false; + } + } + /* Ensure a URL is properly percent-encoded. * Certain usages require local-file URLs to be encoded, eg for code-base & document-base. */ public static URL normalizeUrl(URL url, boolean encodeFileUrls) throws MalformedURLException, UnsupportedEncodingException, URISyntaxException { if (url == null) { return null; } + String protocol = url.getProtocol(); boolean shouldEncode = (encodeFileUrls || !"file".equals(protocol)); - if (protocol == null || !shouldEncode || url.getPath() == null) { + // PR1465: We should not call 'URLDecoder.decode' on RFC2396-compliant URLs + if (protocol == null || !shouldEncode || url.getPath() == null || isValidRFC2396Url(url)) { return url; } diff -r f9a77057c524 -r adaba1e22d66 tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java --- a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java Thu Jun 06 17:08:19 2013 +0200 +++ b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java Fri Jun 07 16:05:13 2013 -0400 @@ -80,7 +80,7 @@ Assert.assertFalse("url " + i + " must be normalized (and so not equals) too normalized url " + i, u[i].equals(n[i])); } } - public static final int CHANGE_BORDER = 6; + public static final int CHANGE_BORDER = 8; public static URL[] getUrls() throws MalformedURLException { URL[] u = { @@ -91,9 +91,9 @@ new URL("http:///SpacesCanBeEverywhere1.jnlp"), new URL("file://localhost/home/jvanek/Desktop/icedtea-web/tests.build/jnlp_test_server/Spaces can be everywhere2.jnlp"), new URL("http://localhost:44321/testpage.jnlp?applicationID=25"), - /*changing*/ new URL("http://localhost:44321/Spaces%20Can%20Be%20Everyw%2Fhere1.jnlp"), new URL("http://localhost/Spaces+Can+Be+Everywhere1.jnlp"), + /*changing*/ new URL("http://localhost/SpacesC anBeEverywhere1.jnlp?a=5&b=10#df"), new URL("http:///oook.jnlp?a=5&b=ahoj šš dd#df"), new URL("http://localhost/Spacesěčšžšřýžčřú can !@^*(){}[].jnlp?a=5&ahoj šš dd#df"), diff -r f9a77057c524 -r adaba1e22d66 tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java --- a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Thu Jun 06 17:08:19 2013 +0200 +++ b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java Fri Jun 07 16:05:13 2013 -0400 @@ -39,8 +39,11 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import java.io.File; +import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.net.URL; import org.junit.Test; @@ -95,6 +98,27 @@ // Test file URL with file URL encoding turned on assertEquals("file://example/%20test", UrlUtils.normalizeUrl(new URL("file://example/ test"), true).toString()); + + // PR1465: Test that RFC2396-compliant URLs are not touched + // Example taken from bug report: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1465 + String rfc2396Valid = "https://example.com/,DSID=64c19c5b657df383835706571a7c7216,DanaInfo=example.com,CT=java+JICAComponents/JICA-sicaN.jar"; + assertEquals(rfc2396Valid, + UrlUtils.normalizeUrl(new URL(rfc2396Valid)).toString()); + } + + @Test + public void testIsValidRFC2396Url() throws Exception { + String rfc2396Valid = "https://example.com/,foo=bar+baz/JICA-sicaN.jar"; + assertTrue(UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid))); + + // These should invalidate the URL + // See http://www.ietf.org/rfc/rfc2396.txt (2.4.3. Excluded US-ASCII Characters) + char[] invalidCharacters = {'<', '>', '%', '"', }; + for (char chr : invalidCharacters) { + assertFalse("validation failed with '" + chr + "'",UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid + chr))); + } + //special test for space inisde. Space at the end can be trimmed + assertFalse("validation failed with '" + ' ' + "'",UrlUtils.isValidRFC2396Url(new URL("https://example.com/,foo=bar+ba z/JICA-sicaN.jar"))); } @Test @@ -116,4 +140,4 @@ assertEquals(testFile, UrlUtils.decodeUrlAsFile(encodedUrl)); } } -} \ No newline at end of file +}