Mercurial > hg > release > icedtea6-1.8

changeset 1168:a5e8efb4fcff

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Fix potential DoS issue when dealing with very long URL/targets. - Decode param values correctly. - Bypass authentication check when origin matches. - Show proper Name/Publisher/Origin values when no certificate is associated.
author Deepak Bhole <dbhole@redhat.com>
date Fri, 31 Oct 2008 15:19:14 -0400
parents 119acc15bc38
children 002c8f181f67
files ChangeLog IcedTeaPlugin.cc plugin/icedtea/sun/applet/PluginAppletViewer.java rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java rt/net/sourceforge/jnlp/security/AccessWarningPane.java
diffstat 5 files changed, 86 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Fri Oct 31 13:14:28 2008 -0400
+++ b/ChangeLog	Fri Oct 31 15:19:14 2008 -0400
@@ -1,3 +1,15 @@
+2008-10-31  Deepak Bhole  <dbhole@redhat.com>
+
+	* IcedTeaPlugin.cc: Fix potential DoS issue when dealing with very long
+	URL/target addresses.
+	* plugin/icedtea/sun/applet/PluginAppletViewer.java: Decode param values
+	correctly.
+	* rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java: Bypass
+	authentication check when origin matches.
+	* rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Show proper
+	Name/Publisher/Origin values when no certificate is associated.
+
+
 2008-10-31  Lillian Angel  <langel@redhat.com>
 
 	* Makefile.am: Updated for new visualvm 1.0.1.
--- a/IcedTeaPlugin.cc	Fri Oct 31 13:14:28 2008 -0400
+++ b/IcedTeaPlugin.cc	Fri Oct 31 15:19:14 2008 -0400
@@ -1409,19 +1409,19 @@
   NS_DECL_ISUPPORTS
   NS_DECL_NSIRUNNABLE
 
-  GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target);
+  GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target);
 
   ~GetURLRunnable ();
 
 private:
   nsIPluginInstancePeer* peer;
-  const char* url;
-  const char* target;
+  nsCString url;
+  nsCString target;
 };
 
 NS_IMPL_ISUPPORTS1 (GetURLRunnable, nsIRunnable)
 
-GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target)
+GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target)
 : peer(peer),
   url(url),
   target(target)
@@ -1442,7 +1442,7 @@
    nsIPluginInstanceOwner* owner = nsnull;
    ownerGetter->GetOwner (&owner);
 
-   return owner->GetURL ((const char*) url, (const char*) target,
+   return owner->GetURL ((const char*) url.get(), (const char*) target.get(),
                          nsnull, 0, nsnull, 0);
 }
 
@@ -2869,8 +2869,8 @@
               ownerGetter->GetOwner (&owner);
 			  PLUGIN_DEBUG_2ARG ("Calling GetURL with %s and %s\n", nsCString (url).get (), nsCString (target).get ());
               nsCOMPtr<nsIRunnable> event = new GetURLRunnable (instance->peer,
-													 nsCString (url).get (),
-													 nsCString (target).get ());
+													 nsCString (url),
+													 nsCString (target));
               current->Dispatch(event, nsIEventTarget::DISPATCH_NORMAL);
             }
         }
@@ -4062,7 +4062,11 @@
     {
       if (!factory->js_cleared_handles.Get(javascript_identifier, NULL))
 	  {
-        PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %d\n", javascript_identifier, strSize);
+	    nsCString evStr("");
+		for (int i=0; i < strSize; i++)
+			evStr += nameString[i];
+
+        PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %s\n", javascript_identifier, evStr.get());
         result = liveconnect->Eval(proxyEnv,
                                    javascript_identifier,
                                    nameString, strSize,
--- a/plugin/icedtea/sun/applet/PluginAppletViewer.java	Fri Oct 31 13:14:28 2008 -0400
+++ b/plugin/icedtea/sun/applet/PluginAppletViewer.java	Fri Oct 31 15:19:14 2008 -0400
@@ -1265,6 +1265,10 @@
  		skipSpace(in);
  		val = buf.toString();
  	    }
+
+        val = val.replace("&gt;", ">");
+        val = val.replace("&lt;", "<");
+        val = val.replace("&amp;", "&");
  	    PluginDebug.debug("PUT " + att + " = '" + val + "'");
  	    atts.put(att.toLowerCase(java.util.Locale.ENGLISH), val);
              while (true) {
--- a/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Fri Oct 31 13:14:28 2008 -0400
+++ b/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java	Fri Oct 31 15:19:14 2008 -0400
@@ -17,20 +17,24 @@
 
 package net.sourceforge.jnlp.runtime;
 
-import java.awt.*;
-import java.awt.event.*;
-import java.lang.ref.*;
-import javax.swing.*;
-import java.security.*;
+import java.awt.Frame;
+import java.awt.Window;
+import java.awt.event.WindowAdapter;
+import java.awt.event.WindowEvent;
+import java.lang.ref.WeakReference;
+import java.net.SocketPermission;
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
 
+import javax.swing.JWindow;
+
+import net.sourceforge.jnlp.JNLPFile;
 import net.sourceforge.jnlp.security.SecurityWarningDialog;
 import net.sourceforge.jnlp.services.ServiceUtil;
-import net.sourceforge.jnlp.util.*;
-
+import net.sourceforge.jnlp.util.WeakList;
 import sun.security.util.SecurityConstants;
 
-import java.net.SocketPermission;
-
 /**
  * Security manager for JNLP environment.  This security manager
  * cannot be replaced as it always denies attempts to replace the
@@ -124,6 +128,7 @@
         }
         
         public void windowClosing(WindowEvent e) {
+        	System.err.println("Disposing window");
         	e.getWindow().dispose();
         }
     };
@@ -282,6 +287,46 @@
 				if (perm instanceof SocketPermission) {
 					tmpPerm = new SocketPermission(perm.getName(), 
 							SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
+					
+					// before proceeding, check if we are trying to connect to same origin
+					ApplicationInstance app = getApplication();
+					JNLPFile file = app.getJNLPFile();
+
+					String srcHost =  file.getSourceLocation().getAuthority();
+					String destHost = name;
+					
+					// host = abc.xyz.com or abc.xyz.com:<port> 
+					if (destHost.indexOf(':') >= 0)
+						destHost = destHost.substring(0, destHost.indexOf(':'));
+					
+					// host = abc.xyz.com
+					String[] hostComponents = destHost.split("\\.");
+					
+					int length = hostComponents.length;
+					if (length >= 2) {
+						
+						// address is in xxx.xxx.xxx format
+						destHost = hostComponents[length -2] + "." + hostComponents[length -1];
+					
+						// host = xyz.com i.e. origin
+						boolean isDestHostName = false;
+
+						// make sure that it is not an ip address
+						try {
+							Integer.parseInt(hostComponents[length -1]);
+						} catch (NumberFormatException e) {
+							isDestHostName = true;
+						}
+
+						if (isDestHostName) {
+							// okay, destination is hostname. Now figure out if it is a subset of origin
+							if (srcHost.endsWith(destHost)) {
+								addPermission(tmpPerm);
+								return;
+							}
+						}
+					}
+
 				} else
 					tmpPerm = perm;
 				
--- a/rt/net/sourceforge/jnlp/security/AccessWarningPane.java	Fri Oct 31 13:14:28 2008 -0400
+++ b/rt/net/sourceforge/jnlp/security/AccessWarningPane.java	Fri Oct 31 15:19:14 2008 -0400
@@ -84,18 +84,19 @@
 		//We don't worry about exceptions when trying to fill in
 		//these strings -- we just want to fill in as many as possible.
 		try {
-			name = file.getInformation().getTitle();
+			name = file.getInformation().getTitle() != null ? file.getInformation().getTitle() : "<no associated certificate>";
 		} catch (Exception e) {
 		}
 
 		try {
-			publisher = file.getInformation().getVendor();
+			publisher = file.getInformation().getVendor() != null ? file.getInformation().getVendor() : "<no associated certificate>";
 		} catch (Exception e) {
 		}
 
 		try {
-			from = file.getInformation().getHomepage().toString();
+			from = !file.getInformation().getHomepage().toString().equals("") ? file.getInformation().getHomepage().toString() : file.getSourceLocation().getAuthority();
 		} catch (Exception e) {
+			from = file.getSourceLocation().getAuthority();
 		}
 
 		//Top label