Mercurial > hg > release > icedtea6-1.7

--- a/ChangeLog	Thu Nov 18 13:01:47 2010 +0000
+++ b/ChangeLog	Thu Nov 18 13:23:54 2010 +0000
@@ -1,3 +1,14 @@
+2010-11-11  Omair Majid  <omajid@redhat.com>
+
+	RH645843, CVE-2010-3860
+	* netx/net/sourceforge/jnlp/runtime/Boot.java,
+	* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java,
+	* netx/net/sourceforge/jnlp/security/SecurityUtil.java,
+	* netx/net/sourceforge/jnlp/services/SingleInstanceLock.java,
+	* netx/net/sourceforge/jnlp/util/XDesktopEntry.java,
+	* plugin/icedteanp/java/sun/applet/PluginMain.java:
+	Fix exposure of system properties.
+
 2010-11-18  Andrew John Hughes  <ahughes@redhat.com>

 	* NEWS: Add 1.7.6.
--- a/plugin/icedteanp/java/sun/applet/PluginMain.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/plugin/icedteanp/java/sun/applet/PluginMain.java	Thu Nov 18 13:23:54 2010 +0000
@@ -89,8 +89,8 @@
 {

     // the files where stdout/stderr are sent to
-    public static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
-    public static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";
+    static final String PLUGIN_STDERR_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stderr";
+    static final String PLUGIN_STDOUT_FILE = System.getProperty("user.home") + "/.icedteaplugin/java.stdout";

 	final boolean redirectStreams = System.getenv().containsKey("ICEDTEAPLUGIN_DEBUG");
 	static PluginStreamHandler streamHandler;
--- a/rt/net/sourceforge/jnlp/runtime/Boot.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/runtime/Boot.java	Thu Nov 18 13:23:54 2010 +0000
@@ -230,8 +230,8 @@
      */
     private static String getAboutFile() {

-        if (new File(JNLPRuntime.NETX_ABOUT_FILE).exists())
-            return JNLPRuntime.NETX_ABOUT_FILE;
+        if (new File(JNLPRuntime.getAboutFile()).exists())
+            return JNLPRuntime.getAboutFile();
         else
             return null;
     }
--- a/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPRuntime.java	Thu Nov 18 13:23:54 2010 +0000
@@ -105,42 +105,42 @@
     private static List<String> initialArguments;

     /** Username */
-    public static final String USER = System.getProperty("user.name");
+    private static final String USER = System.getProperty("user.name");

     /** User's home directory */
-    public static final String HOME_DIR = System.getProperty("user.home");
+    private static final String HOME_DIR = System.getProperty("user.home");

     /** the ~/.netxrc file containing netx settings */
-    public static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";
+    private static final String NETXRC_FILE = HOME_DIR + File.separator + ".netxrc";

     /** the ~/.netx directory containing user-specific data */
-    public static final String NETX_DIR = HOME_DIR + File.separator + ".netx";
+    private static final String NETX_DIR = HOME_DIR + File.separator + ".netx";

     /** the ~/.netx/security directory containing security related information */
-    public static final String SECURITY_DIR = NETX_DIR + File.separator + "security";
+    private static final String SECURITY_DIR = NETX_DIR + File.separator + "security";

     /** the ~/.netx/security/trusted.certs file containing trusted certificates */
-    public static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";
+    private static final String CERTIFICATES_FILE = SECURITY_DIR + File.separator + "trusted.certs";

     /** the /tmp/ directory used for temporary files */
-    public static final String TMP_DIR = System.getProperty("java.io.tmpdir");
+    private static final String TMP_DIR = System.getProperty("java.io.tmpdir");

     /**
      * the /tmp/$USER/netx/locks/ directory containing locks for single instance
      * applications
      */
-    public static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
+    private static final String LOCKS_DIR = TMP_DIR + File.separator + USER + File.separator
             + "netx" + File.separator + "locks";

     /** the java.home directory */
-    public static final String JAVA_HOME_DIR = System.getProperty("java.home");
-
+    private static final String JAVA_HOME_DIR = System.getProperty("java.home");
+
     /** the JNLP file to open to display the network-based about window */
-    public static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
+    private static final String NETX_ABOUT_FILE = JAVA_HOME_DIR + File.separator + "lib"
             + File.separator + "about.jnlp";

-
-
+
+
     /**
      * Returns whether the JNLP runtime environment has been
      * initialized.  Once initialized, some properties such as the
@@ -558,7 +558,38 @@
     public static List<String> getInitialArguments() {
         return initialArguments;
     }
-
+
+    /** Get the location of the certificate files user-level used by netx */
+    public static String getCertificatesFile() {
+        System.getProperty("user.home");
+        return CERTIFICATES_FILE;
+    }
+
+    /** Get the home directory */
+    public static String getHomeDir() {
+        System.getProperty("user.home");
+        return HOME_DIR;
+    }
+
+    /** Get the location of the about file */
+    public static String getAboutFile() {
+        System.getProperty("java.home");
+        return NETX_ABOUT_FILE;
+    }
+
+    /** Get the location of the locks directory */
+    public static String getLocksDir() {
+        System.getProperty("user.home");
+        System.getProperty("java.io.tmpdir");
+        return LOCKS_DIR;
+    }
+
+    /** Get the location of a temporary location */
+    public static String getTempDir() {
+        System.getProperty("java.io.tmpdir");
+        return TMP_DIR;
+    }
+
 }
--- a/rt/net/sourceforge/jnlp/security/SecurityUtil.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/security/SecurityUtil.java	Thu Nov 18 13:23:54 2010 +0000
@@ -46,18 +46,18 @@

 public class SecurityUtil {

-	private static final char[] password = "changeit".toCharArray();
-
-	public static String getTrustedCertsFilename() throws Exception{
-
-		String homeDir = JNLPRuntime.HOME_DIR;
-
-		if (homeDir == null) {
-			throw new Exception("Could not access home directory");
-		} else {
-			return JNLPRuntime.CERTIFICATES_FILE;
-		}
-	}
+    private static final char[] password = "changeit".toCharArray();
+
+    public static String getTrustedCertsFilename() throws Exception {
+
+        String homeDir = JNLPRuntime.getHomeDir();
+
+        if (homeDir == null) {
+            throw new Exception("Could not access home directory");
+        } else {
+            return JNLPRuntime.getCertificatesFile();
+        }
+    }

 	public static char[] getTrustedCertsPassword() {
 		return password;
--- a/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/services/SingleInstanceLock.java	Thu Nov 18 13:23:54 2010 +0000
@@ -126,7 +126,7 @@
      * may or may not exist.
      */
     private File getLockFile() {
-        File baseDir = new File(JNLPRuntime.LOCKS_DIR);
+        File baseDir = new File(JNLPRuntime.getLocksDir());

         if (!baseDir.isDirectory() && !baseDir.mkdirs()) {
             throw new RuntimeException(R("RNoLockDir", baseDir));
--- a/rt/net/sourceforge/jnlp/util/XDesktopEntry.java	Thu Nov 18 13:01:47 2010 +0000
+++ b/rt/net/sourceforge/jnlp/util/XDesktopEntry.java	Thu Nov 18 13:23:54 2010 +0000
@@ -131,7 +131,7 @@
      * Install this XDesktopEntry into the user's desktop as a launcher
      */
     private void installDesktopLauncher() {
-        File shortcutFile = new File(JNLPRuntime.TMP_DIR + File.separator
+        File shortcutFile = new File(JNLPRuntime.getTempDir() + File.separator
                 + FileUtils.sanitizeFileName(file.getTitle()) + ".desktop");
         try {