# HG changeset patch # User Denis Lila # Date 1298488299 18000 # Node ID 934d7afe1f5278f4142400fa6b2d9e0b23aba664 # Parent 326f7589d7e8d02f5d6cc1e361a0f0912e9e805e Fix for security exceptions when JPopupMenu sets always on top. diff -r 326f7589d7e8 -r 934d7afe1f52 ChangeLog --- a/ChangeLog Tue Feb 15 23:02:33 2011 +0000 +++ b/ChangeLog Wed Feb 23 14:11:39 2011 -0500 @@ -1,3 +1,12 @@ +2011-02-23 Denis Lila + + * Makefile.am: Added patches. + * NEWS: Updated. + * patches/openjdk/6675802-securityExceptions-applets.patch: + Get permissions before setting always on top. + * patches/openjdk/6691503-malicious-applet-always-on-top.patch: + Remove the fix above. Do nothing if SecurityException is thrown. + 2011-02-15 Andrew John Hughes * NEWS: Add 1.8.8 section. diff -r 326f7589d7e8 -r 934d7afe1f52 Makefile.am --- a/Makefile.am Tue Feb 15 23:02:33 2011 +0000 +++ b/Makefile.am Wed Feb 23 14:11:39 2011 -0500 @@ -373,7 +373,9 @@ patches/openjdk/6541476-png-iTXt-chunk.patch \ patches/openjdk/6782079-png_metadata_oom.patch \ patches/rh676659-gcc-export-dynamic.patch \ - patches/latent_jaxp_bug.patch + patches/latent_jaxp_bug.patch \ + patches/openjdk/6675802-securityExceptions-applets.patch \ + patches/openjdk/6691503-malicious-applet-always-on-top.patch if WITH_ALT_HSBUILD ICEDTEA_PATCHES += patches/hotspot/$(HSBUILD)/openjdk-6886353-ignore_deoptimizealot.patch \ diff -r 326f7589d7e8 -r 934d7afe1f52 NEWS --- a/NEWS Tue Feb 15 23:02:33 2011 +0000 +++ b/NEWS Wed Feb 23 14:11:39 2011 -0500 @@ -10,6 +10,10 @@ New in release 1.8.8 (20XX-XX-XX): +* Backports + - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets + - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size + New in release 1.8.7 (2011-02-15): * Security updates @@ -21,6 +25,8 @@ - S6985453, CVE-2010-4471: Java2D font-related system property leak - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation - RH677332, CVE-2011-0706: Multiple signers privilege escalation + - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets + - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size * Bug fixes - RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken - Fix latent JAXP bug caused by missing import diff -r 326f7589d7e8 -r 934d7afe1f52 patches/openjdk/6675802-securityExceptions-applets.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/6675802-securityExceptions-applets.patch Wed Feb 23 14:11:39 2011 -0500 @@ -0,0 +1,75 @@ +# HG changeset patch +# User mlapshin +# Date 1208528462 -14400 +# Node ID dd66920b2d51e33ca2157ab045117cc7c7f5f0c0 +# Parent 147803acf437b81e72e50236030f2bc9ac37caee +6675802: Regression: heavyweight popups cause SecurityExceptions in applets +Summary: The problem code in Popup class is surrounded by AccessController.doPrivileged() +Reviewed-by: alexp + +diff -r 147803acf437 -r dd66920b2d51 src/share/classes/javax/swing/Popup.java +--- openjdk.orig/jdk/src/share/classes/javax/swing/Popup.java Mon Apr 14 16:41:00 2008 +0400 ++++ openjdk/jdk/src/share/classes/javax/swing/Popup.java Fri Apr 18 18:21:02 2008 +0400 +@@ -229,7 +229,14 @@ + // Popups are typically transient and most likely won't benefit + // from true double buffering. Turn it off here. + getRootPane().setUseTrueDoubleBuffering(false); +- setAlwaysOnTop(true); ++ java.security.AccessController.doPrivileged( ++ new java.security.PrivilegedAction() { ++ public Object run() { ++ setAlwaysOnTop(true); ++ return null; ++ } ++ } ++ ); + } + + public void update(Graphics g) { +diff -r 147803acf437 -r dd66920b2d51 test/javax/swing/JPopupMenu/6675802/bug6675802.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/jdk/test/javax/swing/JPopupMenu/6675802/bug6675802.java Fri Apr 18 18:21:02 2008 +0400 +@@ -0,0 +1,43 @@ ++/* ++ * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 6675802 ++ * @summary Checks that there is no AccessControlException when ++ * a heaviweight popup menu is shown from an applet. ++ * @author Mikhail Lapshin ++ * @run main bug6675802 ++ */ ++ ++import javax.swing.*; ++ ++public class bug6675802 { ++ public static void main(String[] args) { ++ System.setSecurityManager(new SecurityManager()); ++ final JPopupMenu popupMenu = new JPopupMenu(); ++ popupMenu.add(new JMenuItem("Click")); ++ popupMenu.show(null, 0, 0); ++ System.out.println("Test passed"); ++ } ++} diff -r 326f7589d7e8 -r 934d7afe1f52 patches/openjdk/6691503-malicious-applet-always-on-top.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/6691503-malicious-applet-always-on-top.patch Wed Feb 23 14:11:39 2011 -0500 @@ -0,0 +1,173 @@ +diff -r dd66920b2d51 src/share/classes/javax/swing/Popup.java +--- openjdk.orig/jdk/src/share/classes/javax/swing/Popup.java Fri Apr 18 18:21:02 2008 +0400 ++++ openjdk/jdk/src/share/classes/javax/swing/Popup.java Wed Feb 23 13:50:58 2011 -0500 +@@ -1,12 +1,12 @@ + /* +- * Copyright 1999-2007 Sun Microsystems, Inc. All Rights Reserved. ++ * Copyright (c) 1999, 2008, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. Sun designates this ++ * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided +- * by Sun in the LICENSE file that accompanied this code. ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -18,9 +18,9 @@ + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * +- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +- * CA 95054 USA or visit www.sun.com if you need additional information or +- * have any questions. ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. + */ + + package javax.swing; +@@ -229,14 +229,15 @@ + // Popups are typically transient and most likely won't benefit + // from true double buffering. Turn it off here. + getRootPane().setUseTrueDoubleBuffering(false); +- java.security.AccessController.doPrivileged( +- new java.security.PrivilegedAction() { +- public Object run() { +- setAlwaysOnTop(true); +- return null; +- } +- } +- ); ++ // Try to set "always-on-top" for the popup window. ++ // Applets usually don't have sufficient permissions to do it. ++ // In this case simply ignore the exception. ++ try { ++ setAlwaysOnTop(true); ++ } catch (SecurityException se) { ++ // setAlwaysOnTop is restricted, ++ // the exception is ignored ++ } + } + + public void update(Graphics g) { +diff -r dd66920b2d51 test/javax/swing/JPopupMenu/6691503/bug6691503.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/jdk/test/javax/swing/JPopupMenu/6691503/bug6691503.java Wed Feb 23 13:50:58 2011 -0500 +@@ -0,0 +1,113 @@ ++/* ++ * Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 6691503 ++ * @summary Checks that there is no opportunity for a malicious applet ++ * to show a popup menu which has whole screen size. ++ * a heaviweight popup menu is shown from an applet. ++ * @author Mikhail Lapshin ++ * @run main bug6691503 ++ */ ++ ++import sun.awt.SunToolkit; ++ ++import javax.swing.*; ++import java.awt.*; ++ ++public class bug6691503 { ++ private JPopupMenu popupMenu; ++ private JFrame frame; ++ private boolean isAlwaysOnTop1 = false; ++ private boolean isAlwaysOnTop2 = true; ++ ++ public static void main(String[] args) { ++ bug6691503 test = new bug6691503(); ++ test.setupUI(); ++ test.testApplication(); ++ test.testApplet(); ++ test.checkResult(); ++ test.stopEDT(); ++ } ++ ++ private void setupUI() { ++ SwingUtilities.invokeLater(new Runnable() { ++ public void run() { ++ frame = new JFrame(); ++ frame.setVisible(true); ++ popupMenu = new JPopupMenu(); ++ JMenuItem click = new JMenuItem("Click"); ++ popupMenu.add(click); ++ } ++ }); ++ } ++ ++ private void testApplication() { ++ SwingUtilities.invokeLater(new Runnable() { ++ public void run() { ++ popupMenu.show(frame, 0, 0); ++ Window popupWindow = (Window) ++ (popupMenu.getParent().getParent().getParent().getParent()); ++ isAlwaysOnTop1 = popupWindow.isAlwaysOnTop(); ++ System.out.println( ++ "Application: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop1); ++ popupMenu.setVisible(false); ++ } ++ }); ++ } ++ ++ private void testApplet() { ++ SwingUtilities.invokeLater(new Runnable() { ++ public void run() { ++ System.setSecurityManager(new SecurityManager()); ++ popupMenu.show(frame, 0, 0); ++ Window popupWindow = (Window) ++ (popupMenu.getParent().getParent().getParent().getParent()); ++ isAlwaysOnTop2 = popupWindow.isAlwaysOnTop(); ++ System.out.println( ++ "Applet: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop2); ++ popupMenu.setVisible(false); ++ } ++ }); ++ } ++ ++ private void checkResult() { ++ ((SunToolkit)(Toolkit.getDefaultToolkit())).realSync(); ++ if (!isAlwaysOnTop1 || isAlwaysOnTop2) { ++ throw new RuntimeException("Malicious applet can show always-on-top " + ++ "popup menu which has whole screen size"); ++ } ++ System.out.println("Test passed"); ++ } ++ ++ private void stopEDT() { ++ SwingUtilities.invokeLater(new Runnable() { ++ public void run() { ++ frame.dispose(); ++ } ++ }); ++ } ++} ++ ++