Mercurial > hg > release > icedtea-web-1.5
changeset 1025:ecdb5af1e069
Backported fix for NPE in CertWarningDialog for HTTPS certs
2014-11-05 Andrew Azores <aazores@redhat.com>
* netx/net/sourceforge/jnlp/resources/Messages.properties
(CertWarnHTTPSAcceptTip, CertWarnHTTPSRejectTip): new messages more
applicable for HTTPS cert warning dialogs
* netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java:
distinguish between HTTPS cert warnings and signed applet cert warnings.
Display appropriate text labels and buttons corresponding to either case.
* netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java:
If any of file, securityDelegate, or linkedButton are null, simply
disable this component and do not add component listeners dependent upon
these fields. Also, do not add multiple groups of permissions, and do not
add the permissions to the securityDelegate until the linkedButton is
actually clicked (rather than when the menu item is clicked)
author | Andrew Azores <aazores@redhat.com> |
---|---|
date | Thu, 06 Nov 2014 14:16:48 -0500 |
parents | 0dcef5344b23 |
children | 54dc720a11fc |
files | ChangeLog netx/net/sourceforge/jnlp/resources/Messages.properties netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java |
diffstat | 4 files changed, 73 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Nov 04 17:13:34 2014 +0100 +++ b/ChangeLog Thu Nov 06 14:16:48 2014 -0500 @@ -1,3 +1,18 @@ +2014-11-05 Andrew Azores <aazores@redhat.com> + + * netx/net/sourceforge/jnlp/resources/Messages.properties + (CertWarnHTTPSAcceptTip, CertWarnHTTPSRejectTip): new messages more + applicable for HTTPS cert warning dialogs + * netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java: + distinguish between HTTPS cert warnings and signed applet cert warnings. + Display appropriate text labels and buttons corresponding to either case. + * netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java: + If any of file, securityDelegate, or linkedButton are null, simply + disable this component and do not add component listeners dependent upon + these fields. Also, do not add multiple groups of permissions, and do not + add the permissions to the securityDelegate until the linkedButton is + actually clicked (rather than when the menu item is clicked) + 2014-10-21 Jiri Vanek <jvanek@redhat.com> Fixed case when already decoded file is wonted from cache (RH1154177)
--- a/netx/net/sourceforge/jnlp/resources/Messages.properties Tue Nov 04 17:13:34 2014 +0100 +++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Thu Nov 06 14:16:48 2014 -0500 @@ -25,6 +25,8 @@ CertWarnCancelTip=Do not run this applet CertWarnPolicyTip=Advanced sandbox settings CertWarnPolicyEditorItem=Launch PolicyEditor +CertWarnHTTPSAcceptTip=Accept this certificate and trust the HTTPS connection +CertWarnHTTPSRejectTip=Do not accept this certificate and do not establish the HTTPS connection AFileOnTheMachine=a file on the machine AlwaysAllowAction=Always allow this action
--- a/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java Tue Nov 04 17:13:34 2014 +0100 +++ b/netx/net/sourceforge/jnlp/security/dialogs/CertWarningPane.java Thu Nov 06 14:16:48 2014 -0500 @@ -224,7 +224,8 @@ infoPanel.add(nameLabel); infoPanel.add(publisherLabel); - if (!(certVerifier instanceof HttpsCertVerifier)) { + final boolean isHttpsCertTrustDialog = certVerifier instanceof HttpsCertVerifier; + if (!isHttpsCertTrustDialog) { infoPanel.add(fromLabel); } @@ -233,15 +234,34 @@ //run and cancel buttons buttonPanel = new JPanel(new FlowLayout(FlowLayout.RIGHT)); - run = new JButton(R("ButRun")); + run = new JButton(); + if (isHttpsCertTrustDialog) { + run.setText(R("ButYes")); + } else { + run.setText(R("ButRun")); + } sandbox = new JButton(R("ButSandbox")); advancedOptions = new TemporaryPermissionsButton(file, securityDelegate, sandbox); - cancel = new JButton(R("ButCancel")); - run.setToolTipText(R("CertWarnRunTip")); + cancel = new JButton(); + if (isHttpsCertTrustDialog) { + cancel.setText(R("ButNo")); + } else { + cancel.setText(R("ButCancel")); + } + + if (isHttpsCertTrustDialog) { + run.setToolTipText(R("CertWarnHTTPSAcceptTip")); + } else { + run.setToolTipText(R("CertWarnRunTip")); + } sandbox.setToolTipText(R("CertWarnSandboxTip")); advancedOptions.setToolTipText(R("CertWarnPolicyTip")); - cancel.setToolTipText(R("CertWarnCancelTip")); + if (isHttpsCertTrustDialog) { + cancel.setToolTipText(R("CertWarnHTTPSRejectTip")); + } else { + cancel.setToolTipText(R("CertWarnCancelTip")); + } alwaysTrust.addActionListener(new ButtonDisableListener(sandbox)); int buttonWidth = Math.max(run.getMinimumSize().width, @@ -266,11 +286,12 @@ initialFocusComponent = cancel; buttonPanel.add(run); - // file will be null iff this dialog is being called from VariableX509TrustManager. - // In this case, the "sandbox" button does not make any sense, as we are asking - // the user if they trust some certificate that is not being used to sign an app. - // Since there is no app, there is nothing to run sandboxed. - if (file != null) { + // Only iff this dialog is being invoked by VariableX509TrustManager. + // In this case, the "sandbox" button and temporary permissions do not make any sense, + // as we are asking the user if they trust some certificate that is not being used to sign an app + // (eg "do you trust this certificate presented for the HTTPS connection to the applet's host site") + // Since this dialog isn't talking about an applet/application, there is nothing to run sandboxed. + if (!isHttpsCertTrustDialog) { buttonPanel.add(sandbox); buttonPanel.add(advancedOptions); }
--- a/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java Tue Nov 04 17:13:34 2014 +0100 +++ b/netx/net/sourceforge/jnlp/security/dialogs/TemporaryPermissionsButton.java Thu Nov 06 14:16:48 2014 -0500 @@ -48,6 +48,7 @@ import java.net.URL; import java.security.Permission; import java.util.Collection; +import java.util.HashSet; import javax.swing.JButton; import javax.swing.JMenuItem; @@ -59,6 +60,7 @@ import net.sourceforge.jnlp.runtime.JNLPRuntime; import net.sourceforge.jnlp.security.policyeditor.PolicyEditor; import net.sourceforge.jnlp.security.policyeditor.PolicyEditor.PolicyEditorWindow; +import net.sourceforge.jnlp.util.logging.OutputController; public class TemporaryPermissionsButton extends JButton { @@ -67,15 +69,35 @@ private PolicyEditorWindow policyEditorWindow = null; private final JNLPFile file; private final SecurityDelegate securityDelegate; + private final Collection<Permission> temporaryPermissions = new HashSet<Permission>(); public TemporaryPermissionsButton(final JNLPFile file, final SecurityDelegate securityDelegate, final JButton linkedButton) { + /* If any of the above parameters are null, then the button cannot function - in particular, a null SecurityDelegate + * would prevent temporary permissions from being able to be added; a null JNLPFile would prevent PolicyEditor from + * being launched with a sensible codebase for the current applet; and a null JButton would prevent the Sandbox button + * from being automatically invoked when a set of temporary permissions are selected by the user. + */ super("\u2630"); this.menu = createPolicyPermissionsMenu(); this.linkedButton = linkedButton; this.file = file; this.securityDelegate = securityDelegate; - addMouseListener(new PolicyEditorPopupListener(this)); + if (file == null || securityDelegate == null || linkedButton == null) { + this.setEnabled(false); + OutputController.getLogger().log(OutputController.Level.MESSAGE_DEBUG, "Temporary Permissions Button disabled due to null fields." + + " file: " + file + + ", securityDelegate: " + securityDelegate + + ", linkedButton: " + linkedButton); + } else { + linkedButton.addActionListener(new ActionListener() { + @Override + public void actionPerformed(final ActionEvent e) { + securityDelegate.addPermissions(temporaryPermissions); + } + }); + addMouseListener(new PolicyEditorPopupListener(this)); + } } private JPopupMenu createPolicyPermissionsMenu() { @@ -144,7 +166,8 @@ @Override public void actionPerformed(final ActionEvent e) { - securityDelegate.addPermissions(permissions); + temporaryPermissions.clear(); + temporaryPermissions.addAll(permissions); menu.setVisible(false); if (linkedButton != null) { linkedButton.doClick();