Mercurial > hg > release > icedtea-web-1.8

changeset 1293:1a1cbf3b1123

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed ArrayIndexOutOfBound in version cornercase issue * netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java: length of array is checked, * tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/impl/VersionRestrictionTest.java: added tests for this case
author Jiri Vanek <jvanek@redhat.com>
date Thu, 03 Sep 2015 15:10:54 +0200
parents 5ddfe3e389ab
children ea6efa916c4b
files ChangeLog netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/impl/VersionRestrictionTest.java
diffstat 3 files changed, 50 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Thu Sep 03 14:55:14 2015 +0200
+++ b/ChangeLog	Thu Sep 03 15:10:54 2015 +0200
@@ -1,3 +1,11 @@
+2015-09-03  Jiri Vanek  <jvanek@redhat.com>
+
+	Fixed ArrayIndexOutOfBound in version cornercase issue
+	* netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java:
+	length of array is checked,
+	* tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/impl/VersionRestrictionTest.java:
+	added tests for this case
+
 2015-09-03  Jiri Vanek  <jvanek@redhat.com>
 
 	Added identificator to .appletTrustSettings to specify version of file
--- a/netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java	Thu Sep 03 14:55:14 2015 +0200
+++ b/netx/net/sourceforge/jnlp/security/appletextendedsecurity/impl/UnsignedAppletActionStorageImpl.java	Thu Sep 03 15:10:54 2015 +0200
@@ -90,8 +90,7 @@
     protected void readLine(String line) {
         if (line.trim().length() != 0) {
             lineCounter++;
-            //note, there is an sapce at the beggining of  versionPreffix
-            if (line.startsWith(versionPreffix)) {
+            if (line.startsWith(versionPreffix) && line.trim().split("\\s+").length > 1) {
                 if (readVersion == null) {
                     readVersion = line.trim();
                     actOnVersionLoad();
@@ -281,8 +280,6 @@
     }
 
     private void actOnVersionLoad() {
-        //note, there is an sapce at the beggining of  versionPreffix
-        //so inut have always length at least 2
         String versionS = readVersion.split("\\s+")[1];
         int version = 0;
         try{
--- a/tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/impl/VersionRestrictionTest.java	Thu Sep 03 14:55:14 2015 +0200
+++ b/tests/netx/unit/net/sourceforge/jnlp/security/appletextendedsecurity/impl/VersionRestrictionTest.java	Thu Sep 03 15:10:54 2015 +0200
@@ -55,7 +55,7 @@
 import org.junit.Before;
 import org.junit.Test;
 
-public class VersionRestrictionTest extends  NoStdOutErrTest{
+public class VersionRestrictionTest extends NoStdOutErrTest {
 
     private static File testFile;
     private static final SavedRememberAction sra = new SavedRememberAction(ExecuteAppletAction.ALWAYS, "NO");
@@ -90,7 +90,7 @@
 
             @Override
             public boolean accept(File dir, String name) {
-                return name.matches(testFile.getName() + "\\.[0123456789]+"+UnsignedAppletActionStorageImpl.BACKUP_SUFFIX);
+                return name.matches(testFile.getName() + "\\.[0123456789]+" + UnsignedAppletActionStorageImpl.BACKUP_SUFFIX);
             }
         });
         return f;
@@ -139,6 +139,45 @@
     }
 
     @Test
+    public void numberFormatExceptionInOnInLoad2() throws IOException {
+        ServerAccess.saveFile("#VERSION\n"
+                + "cN:N{YES}; 1 \\Qhttp://some.url/\\E \\Qhttp://some.url/\\E jar.jar", testFile);
+        UnsignedAppletActionStorageImpl i1 = new UnsignedAppletActionStorageImpl(testFile);
+        i1.readContents();
+        Assert.assertEquals(0, i1.items.size());
+        i1.add(aq);
+        i1.readContents();
+        Assert.assertEquals(1, i1.items.size());
+        checkBackupFile(true, 0);
+    }
+
+    @Test
+    public void numberFormatExceptionInOnInLoad3() throws IOException {
+        ServerAccess.saveFile("#VERSION \n"
+                + "cN:N{YES}; 1 \\Qhttp://some.url/\\E \\Qhttp://some.url/\\E jar.jar", testFile);
+        UnsignedAppletActionStorageImpl i1 = new UnsignedAppletActionStorageImpl(testFile);
+        i1.readContents();
+        Assert.assertEquals(0, i1.items.size());
+        i1.add(aq);
+        i1.readContents();
+        Assert.assertEquals(1, i1.items.size());
+        checkBackupFile(true, 0);
+    }
+
+    @Test
+    public void numberFormatExceptionInOnInLoad4() throws IOException {
+        ServerAccess.saveFile("#VERSION                \n"
+                + "cN:N{YES}; 1 \\Qhttp://some.url/\\E \\Qhttp://some.url/\\E jar.jar", testFile);
+        UnsignedAppletActionStorageImpl i1 = new UnsignedAppletActionStorageImpl(testFile);
+        i1.readContents();
+        Assert.assertEquals(0, i1.items.size());
+        i1.add(aq);
+        i1.readContents();
+        Assert.assertEquals(1, i1.items.size());
+        checkBackupFile(true, 0);
+    }
+
+    @Test
     public void correctLoad() throws IOException {
         ServerAccess.saveFile("#VERSION 2\n"
                 + "cN:N{YES}; 1 \\Qhttp://some.url/\\E \\Qhttp://some.url/\\E jar.jar", testFile);