Mercurial > hg > release > icedtea-web-1.6

--- a/AUTHORS	Thu Jun 09 13:26:39 2011 -0400
+++ b/AUTHORS	Thu Jun 09 17:11:34 2011 -0400
@@ -11,6 +11,7 @@
 DJ Lucas <dj@lucasit.com>
 Omair Majid <omajid@redhat.com>
 Jon A. Maxwell <jmaxwell@users.sourceforge.net>
+Saad Mohammad <smohammad@redhat.com>
 Andrew Su <asu@redhat.com>
 Joshua Sumali <jsumali@redhat.com>
 Mark Wielaard <mark@klomp.org>
--- a/ChangeLog	Thu Jun 09 13:26:39 2011 -0400
+++ b/ChangeLog	Thu Jun 09 17:11:34 2011 -0400
@@ -1,3 +1,14 @@
+2011-06-08  Saad Mohammad  <smohammad@redhat.com>
+
+	* AUTHORS: Updated
+	* netx/net/sourceforge/jnlp/services/ServiceUtil.java
+	(checkAccess): Moved the process of checking if the application is a trusted
+	application to a new method called isSigned().
+	* netx/net/sourceforge/jnlp/services/XPersistenceService.java
+	(checkLocation): Allows trusted application to have access to
+	PersistenceService data from different hosts. It uses ServiceUtil.isSigned()
+	to determine if the current application is a trusted application.
+
 2011-06-08  Andrew Su  <asu@redhat.com>

 	* NEWS: Updated.
--- a/netx/net/sourceforge/jnlp/services/ServiceUtil.java	Thu Jun 09 13:26:39 2011 -0400
+++ b/netx/net/sourceforge/jnlp/services/ServiceUtil.java	Thu Jun 09 17:11:34 2011 -0400
@@ -235,41 +235,15 @@
     public static boolean checkAccess(ApplicationInstance app, AccessType type,
                 Object... extras) {

-        if (app == null)
-            app = JNLPRuntime.getApplication();
-
-        boolean codeTrusted = true;
-
-        StackTraceElement[] stack = Thread.currentThread().getStackTrace();
-
-        for (int i = 0; i < stack.length; i++) {
-
-            Class c = null;
+        boolean trusted = isSigned(app);

-            try {
-                c = Class.forName(stack[i].getClassName());
-            } catch (Exception e1) {
-                try {
-                    c = Class.forName(stack[i].getClassName(), false, app.getClassLoader());
-                } catch (Exception e2) {
-                    System.err.println(e2.getMessage());
-                }
-            }
-
-            // Everything up to the desired class/method must be trusted
-            if (c == null || // class not found
-                    (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath
-                    c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted
-            ) {
-                codeTrusted = false;
-            }
-        }
-
-        if (!codeTrusted) {
+        if (!trusted) {

             if (!shouldPromptUser()) {
                 return false;
             }
+            if (app == null)
+                app = JNLPRuntime.getApplication();

             final AccessType tmpType = type;
             final Object[] tmpExtras = extras;
@@ -307,5 +281,48 @@
             }
         });
     }
+
+    /**
+     * Returns whether the app requesting a JNLP service is a trusted
+     * application
+     *
+     * @param app
+     *            the application which is requesting the check. If null, the
+     *            current application is used.
+     * @return true, if the app is a trusted application; false otherwise
+     */
+
+    public static boolean isSigned(ApplicationInstance app) {
+
+        if (app == null)
+            app = JNLPRuntime.getApplication();
+
+        StackTraceElement[] stack = Thread.currentThread().getStackTrace();
+
+        for (int i = 0; i < stack.length; i++) {
+
+            Class c = null;
+
+            try {
+                c = Class.forName(stack[i].getClassName());
+            } catch (Exception e1) {
+                try {
+                    c = Class.forName(stack[i].getClassName(), false,
+                            app.getClassLoader());
+                } catch (Exception e2) {
+                    System.err.println(e2.getMessage());
+                }
+            }
+
+            // Everything up to the desired class/method must be trusted
+            if (c == null || // class not found
+                    (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath
+                    c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted
+            ) {
+                return false;
+            }
+        }
+        return true;
+    }

 }
--- a/netx/net/sourceforge/jnlp/services/XPersistenceService.java	Thu Jun 09 13:26:39 2011 -0400
+++ b/netx/net/sourceforge/jnlp/services/XPersistenceService.java	Thu Jun 09 17:11:34 2011 -0400
@@ -52,9 +52,12 @@
             throw new MalformedURLException("Cannot determine the current application.");

         URL source = app.getJNLPFile().getCodeBase();
+
+        if (!source.getHost().equalsIgnoreCase(location.getHost())
+                && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data from a different host
+            throw new MalformedURLException(
+                    "Untrusted application cannot access data from a different host.");

-        if (!source.getHost().equalsIgnoreCase(location.getHost()))
-            throw new MalformedURLException("Cannot access data from a different host.");

         // test for above codebase, not perfect but works for now

@@ -69,8 +72,10 @@
             System.out.println("request path: " + requestPath);
         }

-        if (!source.getFile().startsWith(requestPath))
-            throw new MalformedURLException("Cannot access data below source URL path.");
+        if (!source.getFile().startsWith(requestPath)
+                && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data below source URL path
+            throw new MalformedURLException(
+                    "Cannot access data below source URL path.");
     }

     /**