Mercurial > hg > release > icedtea6-1.8
changeset 1168:a5e8efb4fcff
- Fix potential DoS issue when dealing with very long URL/targets.
- Decode param values correctly.
- Bypass authentication check when origin matches.
- Show proper Name/Publisher/Origin values when no certificate is associated.
author | Deepak Bhole <dbhole@redhat.com> |
---|---|
date | Fri, 31 Oct 2008 15:19:14 -0400 |
parents | 119acc15bc38 |
children | 002c8f181f67 |
files | ChangeLog IcedTeaPlugin.cc plugin/icedtea/sun/applet/PluginAppletViewer.java rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java rt/net/sourceforge/jnlp/security/AccessWarningPane.java |
diffstat | 5 files changed, 86 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Oct 31 13:14:28 2008 -0400 +++ b/ChangeLog Fri Oct 31 15:19:14 2008 -0400 @@ -1,3 +1,15 @@ +2008-10-31 Deepak Bhole <dbhole@redhat.com> + + * IcedTeaPlugin.cc: Fix potential DoS issue when dealing with very long + URL/target addresses. + * plugin/icedtea/sun/applet/PluginAppletViewer.java: Decode param values + correctly. + * rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java: Bypass + authentication check when origin matches. + * rt/net/sourceforge/jnlp/security/AccessWarningPane.java: Show proper + Name/Publisher/Origin values when no certificate is associated. + + 2008-10-31 Lillian Angel <langel@redhat.com> * Makefile.am: Updated for new visualvm 1.0.1.
--- a/IcedTeaPlugin.cc Fri Oct 31 13:14:28 2008 -0400 +++ b/IcedTeaPlugin.cc Fri Oct 31 15:19:14 2008 -0400 @@ -1409,19 +1409,19 @@ NS_DECL_ISUPPORTS NS_DECL_NSIRUNNABLE - GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target); + GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target); ~GetURLRunnable (); private: nsIPluginInstancePeer* peer; - const char* url; - const char* target; + nsCString url; + nsCString target; }; NS_IMPL_ISUPPORTS1 (GetURLRunnable, nsIRunnable) -GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, const char* url, const char* target) +GetURLRunnable::GetURLRunnable (nsIPluginInstancePeer* peer, nsCString url, nsCString target) : peer(peer), url(url), target(target) @@ -1442,7 +1442,7 @@ nsIPluginInstanceOwner* owner = nsnull; ownerGetter->GetOwner (&owner); - return owner->GetURL ((const char*) url, (const char*) target, + return owner->GetURL ((const char*) url.get(), (const char*) target.get(), nsnull, 0, nsnull, 0); } @@ -2869,8 +2869,8 @@ ownerGetter->GetOwner (&owner); PLUGIN_DEBUG_2ARG ("Calling GetURL with %s and %s\n", nsCString (url).get (), nsCString (target).get ()); nsCOMPtr<nsIRunnable> event = new GetURLRunnable (instance->peer, - nsCString (url).get (), - nsCString (target).get ()); + nsCString (url), + nsCString (target)); current->Dispatch(event, nsIEventTarget::DISPATCH_NORMAL); } } @@ -4062,7 +4062,11 @@ { if (!factory->js_cleared_handles.Get(javascript_identifier, NULL)) { - PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %d\n", javascript_identifier, strSize); + nsCString evStr(""); + for (int i=0; i < strSize; i++) + evStr += nameString[i]; + + PLUGIN_DEBUG_2ARG ("Calling Eval: %d, %s\n", javascript_identifier, evStr.get()); result = liveconnect->Eval(proxyEnv, javascript_identifier, nameString, strSize,
--- a/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Oct 31 13:14:28 2008 -0400 +++ b/plugin/icedtea/sun/applet/PluginAppletViewer.java Fri Oct 31 15:19:14 2008 -0400 @@ -1265,6 +1265,10 @@ skipSpace(in); val = buf.toString(); } + + val = val.replace(">", ">"); + val = val.replace("<", "<"); + val = val.replace("&", "&"); PluginDebug.debug("PUT " + att + " = '" + val + "'"); atts.put(att.toLowerCase(java.util.Locale.ENGLISH), val); while (true) {
--- a/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 31 13:14:28 2008 -0400 +++ b/rt/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Fri Oct 31 15:19:14 2008 -0400 @@ -17,20 +17,24 @@ package net.sourceforge.jnlp.runtime; -import java.awt.*; -import java.awt.event.*; -import java.lang.ref.*; -import javax.swing.*; -import java.security.*; +import java.awt.Frame; +import java.awt.Window; +import java.awt.event.WindowAdapter; +import java.awt.event.WindowEvent; +import java.lang.ref.WeakReference; +import java.net.SocketPermission; +import java.security.AccessController; +import java.security.Permission; +import java.security.PrivilegedAction; +import javax.swing.JWindow; + +import net.sourceforge.jnlp.JNLPFile; import net.sourceforge.jnlp.security.SecurityWarningDialog; import net.sourceforge.jnlp.services.ServiceUtil; -import net.sourceforge.jnlp.util.*; - +import net.sourceforge.jnlp.util.WeakList; import sun.security.util.SecurityConstants; -import java.net.SocketPermission; - /** * Security manager for JNLP environment. This security manager * cannot be replaced as it always denies attempts to replace the @@ -124,6 +128,7 @@ } public void windowClosing(WindowEvent e) { + System.err.println("Disposing window"); e.getWindow().dispose(); } }; @@ -282,6 +287,46 @@ if (perm instanceof SocketPermission) { tmpPerm = new SocketPermission(perm.getName(), SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION); + + // before proceeding, check if we are trying to connect to same origin + ApplicationInstance app = getApplication(); + JNLPFile file = app.getJNLPFile(); + + String srcHost = file.getSourceLocation().getAuthority(); + String destHost = name; + + // host = abc.xyz.com or abc.xyz.com:<port> + if (destHost.indexOf(':') >= 0) + destHost = destHost.substring(0, destHost.indexOf(':')); + + // host = abc.xyz.com + String[] hostComponents = destHost.split("\\."); + + int length = hostComponents.length; + if (length >= 2) { + + // address is in xxx.xxx.xxx format + destHost = hostComponents[length -2] + "." + hostComponents[length -1]; + + // host = xyz.com i.e. origin + boolean isDestHostName = false; + + // make sure that it is not an ip address + try { + Integer.parseInt(hostComponents[length -1]); + } catch (NumberFormatException e) { + isDestHostName = true; + } + + if (isDestHostName) { + // okay, destination is hostname. Now figure out if it is a subset of origin + if (srcHost.endsWith(destHost)) { + addPermission(tmpPerm); + return; + } + } + } + } else tmpPerm = perm;
--- a/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Fri Oct 31 13:14:28 2008 -0400 +++ b/rt/net/sourceforge/jnlp/security/AccessWarningPane.java Fri Oct 31 15:19:14 2008 -0400 @@ -84,18 +84,19 @@ //We don't worry about exceptions when trying to fill in //these strings -- we just want to fill in as many as possible. try { - name = file.getInformation().getTitle(); + name = file.getInformation().getTitle() != null ? file.getInformation().getTitle() : "<no associated certificate>"; } catch (Exception e) { } try { - publisher = file.getInformation().getVendor(); + publisher = file.getInformation().getVendor() != null ? file.getInformation().getVendor() : "<no associated certificate>"; } catch (Exception e) { } try { - from = file.getInformation().getHomepage().toString(); + from = !file.getInformation().getHomepage().toString().equals("") ? file.getInformation().getHomepage().toString() : file.getSourceLocation().getAuthority(); } catch (Exception e) { + from = file.getSourceLocation().getAuthority(); } //Top label