!4 Update to 1.8.3

Merge pull request !4 from yaokai13/master

CVE-2019-10181-bin.patch

@@ -0,0 +1,29 @@
+commit 78cf73473dda5ceee3eecda5169621f36b93c3db
+Author: Jiri Vanek <jvanek@redhat.com>
+Date:   Tue Jun 18 15:37:47 2019 +0200
+
+    Fixed bug when relative path (..) could leak up (even out of cache)
+
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar b/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar
+new file mode 100644
+index 0000000000000000000000000000000000000000..080383629e9349101b25ad3b33b9950f456c4e8e
+GIT binary patch
+literal 940
+zcmWIWW@Zs#VBp|jI8$@gj{yjnKm-tQGO#fCx`sIFdiuHP|2xINz|0VUqL}B}?nD=$
+zLRTOL8i7#k>*(j{<{BKL=j-;__snS@Z(Y5MyxzK6=gyqp9At3C_`%a6JuhD!Pv48B
+zt5`TAUPvC1mXy-W_#v*U_I!z!#dC4dC*rEp7_Mf2D*9N&h-B+wpcBjVOyp!385rgO
+zF%QsIkJOx;d_%qDoW$bd+yGzi!wv$qm(}j7^={j?tnS+b#|}B3rtMwgjy58qN^v%-
+zr7NR9DH;m?;ru6Kt5NZR{m0@XH$ya>z8h@*d~f#5?Z5wi{>l1)gISt)i*Ct=OD@;l
+z_*XNnbC`d@B5b9WA4h5a`?iERY2}kH$gK>Co8qbR`L#ipq~WB1r7io)t!K6QFO+Y8
+zd4#_!X6fXGd0U#-oH_o<C$sQ%%(23<iUm{oSY|P0^Ih9`@b^1yuY}77#kNV#$mE>+
+z^UmoEt>Z`SH7e?KQVyAIp2S(6=9KzR)LP?4JI`drh1(g_I@n{6=G^}(w(~fj&p(CQ
+zEQPnz7azUaU|eYS-QHn+&BOAdoDhYFthyHUm+r0--Ec49^|kwnXP%k`HyjN1b(^+I
+z_w;^f+%a%4>;;D6o#rRf3Bb_H24Zdo8CWQ0C6*<IhHx@4Z@tSCJEv4AwzPtqfsy3}
+zGXn!lJ5Z^%hVQA9K4Bi`JazQKK6soxdD1*&#j{620U8Y+BGXl-F|6G5=Zr|}og-&#
+zdLK+$bY@S9t*veAkwssU&SotLQs7vpqvv_{>S=x5i`opQrayU-sgc^?8+>UCo7T#w
+ztDZ6eqneRP1eBO?q(`6=kN`^RMAwR*IuZJGflRnoq_m1`0=ATfFkvx}iJb00I^~!_
+tc>r7JN`N&2lPklL#+N_}suL2{tdOuq3+DiDRyL3>79ivRYUu-KN&w$EG4%id
+
+literal 0
+HcmV?d00001
+

CVE-2019-10181.patch

@@ -0,0 +1,323 @@
+commit 78cf73473dda5ceee3eecda5169621f36b93c3db
+Author: Jiri Vanek <jvanek@redhat.com>
+Date:   Tue Jun 18 15:37:47 2019 +0200
+
+    Fixed bug when relative path (..) could leak up (even out of cache)
+
+--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
++++ a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+@@ -696,46 +696,68 @@
+             path.append(location.getPort());
+             path.append(File.separatorChar);
+         }
+-        path.append(location.getPath().replace('/', File.separatorChar));
+-        if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
+-            path.append(".").append(location.getQuery());
+-        }
+-
+-        File candidate = new File(FileUtils.sanitizePath(path.toString()));
+-        if (candidate.getName().length() > 255) {
+-            /**
+-             * When filename is longer then 255 chars, then then various
+-             * filesytems have issues to save it. By saving the file by its
+-             * summ, we are trying to prevent collision of two files differs in
+-             * suffixes (general suffix of name, not only 'filetype suffix')
+-             * only. It is also preventing bug when truncate (files with 1000
+-             * chars hash in query) cuts to much.
+-             */
++        String locationPath = location.getPath().replace('/', File.separatorChar);
++        if (locationPath.contains("..")){
+             try {
+-                MessageDigest md = MessageDigest.getInstance("SHA-256");
+-                byte[] sum = md.digest(candidate.getName().getBytes(StandardCharsets.UTF_8));
+-                //convert the byte to hex format method 2
+-                StringBuilder hexString = new StringBuilder();
+-                for (int i = 0; i < sum.length; i++) {
+-                    hexString.append(Integer.toHexString(0xFF & sum[i]));
+-                }
+-                String extension = "";
+-                int i = candidate.getName().lastIndexOf('.');
+-                if (i > 0) {
+-                    extension = candidate.getName().substring(i);//contains dot
+-                }
+-                if (extension.length() < 10 && extension.length() > 1) {
+-                    hexString.append(extension);
+-                }
+-                candidate = new File(candidate.getParentFile(), hexString.toString());
++                /**
++                 * if path contains .. then it can harm lcoal system
++                 * So without mercy, hash it
++                 */
++                String hexed = hex(new File(locationPath).getName(), locationPath);
++                return new File(path.toString(), hexed.toString());
+             } catch (NoSuchAlgorithmException ex) {
+-                // should not occure, cite from javadoc:
+-                // every java iomplementation should support
++                // should not occur, cite from javadoc:
++                // every java implementation should support
+                 // MD5 SHA-1 SHA-256
+                 throw new RuntimeException(ex);
+             }
+-        }
+-        return candidate;
++        } else {
++            path.append(locationPath);
++            if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
++                path.append(".").append(location.getQuery());
++            }
++
++            File candidate = new File(FileUtils.sanitizePath(path.toString()));
++            try {
++                if (candidate.getName().length() > 255) {
++                    /**
++                     * When filename is longer then 255 chars, then then various
++                     * filesystems have issues to save it. By saving the file by its
++                     * sum, we are trying to prevent collision of two files differs in
++                     * suffixes (general suffix of name, not only 'filetype suffix')
++                     * only. It is also preventing bug when truncate (files with 1000
++                     * chars hash in query) cuts to much.
++                     */
++                    String hexed = hex(candidate.getName(), candidate.getName());
++                    candidate = new File(candidate.getParentFile(), hexed.toString());
++                }
++            } catch (NoSuchAlgorithmException ex) {
++                // should not occur, cite from javadoc:
++                // every java implementation should support
++                // MD5 SHA-1 SHA-256
++                throw new RuntimeException(ex);
++            }
++            return candidate;
++        }
++    }
++
++    private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
++        MessageDigest md = MessageDigest.getInstance("SHA-256");
++        byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
++        //convert the byte to hex format method 2
++        StringBuilder hexString = new StringBuilder();
++        for (int i = 0; i < sum.length; i++) {
++            hexString.append(Integer.toHexString(0xFF & sum[i]));
++        }
++        String extension = "";
++        int i = origName.lastIndexOf('.');
++        if (i > 0) {
++            extension = origName.substring(i);//contains dot
++        }
++        if (extension.length() < 10 && extension.length() > 1) {
++            hexString.append(extension);
++        }
++        return hexString.toString();
+     }
+ 
+     /**
+diff --git a/netx/net/sourceforge/jnlp/util/FileUtils.java b/netx/net/sourceforge/jnlp/util/FileUtils.java
+index 89216375..a5356e08 100644
+--- a/netx/net/sourceforge/jnlp/util/FileUtils.java
++++ b/netx/net/sourceforge/jnlp/util/FileUtils.java
+@@ -183,6 +183,13 @@
+      */
+     public static void createParentDir(File f, String eMsg) throws IOException {
+         File parent = f.getParentFile();
++        // warning, linux and windows behave differently. Below snippet will pass on win(security hole), fail on linux
++        // warning  mkdir is canonicaling, but exists/isDirectory is not. So  where mkdirs return true, and really creates dir, isDirectory can still return false
++        // can be seen on this example
++        // mkdirs /a/b/../c
++        // where b do not exists will lead creation of /a/c
++        // but exists on /a/b/../c is false on linux  even afterwards
++        // without hexing of .. paths,
+         if (!parent.isDirectory() && !parent.mkdirs()) {
+             throw new IOException(R("RCantCreateDir",
+                     eMsg == null ? parent : eMsg));
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+index 6422246b..0d2d9811 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+@@ -88,6 +88,53 @@ public class CacheUtilTest {
+         final File expected = new File("/tmp/https/example.com/5050/applet/e4f3cf11f86f5aa33f424bc3efe3df7a9d20837a6f1a5bbbc60c1f57f3780a4");
+         Assert.assertEquals(expected, CacheUtil.urlToPath(u, "/tmp"));
+     }
++
++    @Test
++    public void tesPathUpNoGoBasic() throws Exception {
++        final URL u = new URL("https://example.com/applet/../my.jar");
++        final File expected = new File("/tmp/https/example.com/abca4723622ed60db3dea12cbe2402622a74f7a49b73e23b55988e4eee5ded.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
++
++    @Test
++    public void tesPathUpNoGoBasicLong() throws Exception {
++        final URL u = new URL("https://example.com/applet/../my.jar.q_SlNFU1NJT05JRD02OUY1ODVCNkJBOTM1NThCQjdBMTA5RkQyNDZEQjEwRi5wcm9kX3RwdG9tY2F0MjE1X2p2bTsgRW50cnVzdFRydWVQYXNzUmVkaXJlY3RVcmw9Imh0dHBzOi8vZWZzLnVzcHRvLmdvdi9FRlNXZWJVSVJlZ2lzdGVyZWQvRUZTV2ViUmVnaXN0ZXJlZCI7IFRDUFJPRFBQQUlSc2Vzc2lvbj02MjIxMjk0MTguMjA0ODAuMDAwMA\"");
++        final File expected = new File("/tmp/https/example.com/ec97413e3f6eee8215ecc8375478cc1ae5f44f18241b9375361d5dfcd7b0ec");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
++
++    @Test
++    public void tesPathUpNoGoBasic2() throws Exception {
++        final URL u = new URL("https://example.com/../my.jar");
++        final File expected = new File("/tmp/https/example.com/eb1a56bed34523dbe7ad84d893ebc31a8bbbba9ce3f370e42741b6a5f067c140.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
++
++    @Test
++    public void tesPathUpNoGoBasicEvil() throws Exception {
++        final URL u = new URL("https://example.com/../../my.jar");
++        final File expected = new File("/tmp/https/example.com/db464f11d68af73e37eefaef674517b6be23f0e4a5738aaee774ecf5b58f1bfc.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
++
++    @Test
++    public void tesPathUpNoGoBasicEvil2() throws Exception {
++        final URL u = new URL("https://example.com:99/../../../my.jar");
++        final File expected = new File("/tmp/https/example.com/99/95401524c345e0d554d4d77330e86c98a77b9bb58a0f93094204df446b356.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
++    @Test
++    public void tesPathUpNoGoBasicEvilest() throws Exception {
++        final URL u = new URL("https://example2.com/something/../../../../../../../../../../../my.jar");
++        final File expected = new File("/tmp/https/example2.com/a8df64388f5b84d5f635e4d6dea5f4d2f692ae5381f8ec6736825ff8d6ff2c0.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
+     
+     
+     @Test
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+index 100d9150..7580d23b 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+@@ -43,6 +43,8 @@
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.InputStream;
++import java.net.URL;
++import java.nio.charset.Charset;
+ import java.nio.file.Files;
+ import java.util.Arrays;
+ import java.util.List;
+@@ -55,6 +57,12 @@
+ import net.sourceforge.jnlp.browsertesting.browsers.firefox.FirefoxProfilesOperator;
+ import net.sourceforge.jnlp.cache.UpdatePolicy;
+ import net.sourceforge.jnlp.config.DeploymentConfiguration;
++import net.sourceforge.jnlp.config.PathsAndFiles;
++import net.sourceforge.jnlp.JNLPFile;
++import net.sourceforge.jnlp.ServerAccess;
++import net.sourceforge.jnlp.ServerLauncher;
++import net.sourceforge.jnlp.util.StreamUtils;
++import net.sourceforge.jnlp.cache.CacheUtil;
+ import net.sourceforge.jnlp.mock.DummyJNLPFileWithJar;
+ import net.sourceforge.jnlp.security.appletextendedsecurity.AppletSecurityLevel;
+ import net.sourceforge.jnlp.security.appletextendedsecurity.AppletStartupSecuritySettings;
+@@ -65,6 +73,7 @@
+ import org.junit.BeforeClass;
+ 
+ import org.junit.Test;
++import org.junit.Ignore;
+ 
+ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+ 
+@@ -138,7 +147,8 @@
+         File tempDirectory = FileTestUtils.createTempDirectory();
+         File jarLocation = new File(tempDirectory, "test.jar");
+ 
+-        /* Test with main-class in manifest */ {
++        /* Test with main-class in manifest */
++        {
+             Manifest manifest = new Manifest();
+             manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, "DummyClass");
+             FileTestUtils.createJarWithContents(jarLocation, manifest);
+@@ -156,8 +166,10 @@
+     }
+ 
+     @Test
++    @Ignore
+     public void getMainClassNameTestEmpty() throws Exception {
+-        /* Test with-out any main-class specified */ {
++        /* Test with-out any main-class specified */
++        {
+             File tempDirectory = FileTestUtils.createTempDirectory();
+             File jarLocation = new File(tempDirectory, "test.jar");
+             FileTestUtils.createJarWithContents(jarLocation /* No contents */);
+@@ -363,4 +375,57 @@
+         }
+ 
+     }
++
++    @Test
++    public void testRelativePathInUrl() throws Exception {
++        CacheUtil.clearCache();
++        int port = ServerAccess.findFreePort();
++        File dir = FileTestUtils.createTempDirectory();
++        dir.deleteOnExit();
++        dir = new File(dir,"base");
++        dir.mkdir();
++        File jar = new File(dir,"j1.jar");
++        File jnlp = new File(dir+"/a/b/up.jnlp");
++        jnlp.getParentFile().mkdirs();
++        InputStream is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/up.jnlp");
++        String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
++        is.close();
++        jnlpString = jnlpString.replaceAll("8080", ""+port);
++        is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
++        StreamUtils.copyStream(is, new FileOutputStream(jar));
++        Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
++        ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
++        boolean verifyBackup = JNLPRuntime.isVerifying();
++        boolean trustBackup= JNLPRuntime.isTrustAll();
++        boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
++        boolean verbose= JNLPRuntime.isDebug();
++        JNLPRuntime.setVerify(false);
++        JNLPRuntime.setTrustAll(true);
++        JNLPRuntime.setSecurityEnabled(false);
++        JNLPRuntime.setDebug(true);
++        try {
++            final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
++            final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
++                @Override
++                protected void activateJars(List<JARDesc> jars) {
++                    super.activateJars(jars);
++                }
++
++            };
++            InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
++            is1.close();
++            is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
++            is1.close();
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/up.jnlp").exists());
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/f812acb32c857fd916c842e2bf4fb32b9c3837ef63922b167a7e163305058b7.jar").exists());
++        } finally {
++            JNLPRuntime.setVerify(verifyBackup);
++            JNLPRuntime.setTrustAll(trustBackup);
++            JNLPRuntime.setSecurityEnabled(securityBAckup);
++            JNLPRuntime.setDebug(verbose);
++            as.stop();
++        }
++
++    }
++
+ }
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
+new file mode 100644
+index 00000000..b22fdfb7
+--- /dev/null
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
+@@ -0,0 +1,15 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<jnlp spec="6.0+" codebase=".">
++
++<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
++
++
++<resources>
++  <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
++<!-- absolute url is a must -->
++  <jar href="http://localhost:8080/../../../base/j1.jar" version="2.0"/>
++</resources>
++
++<application-desc main-class="Hello1" />
++
++</jnlp>

CVE-2019-10182.patch

@@ -0,0 +1,78 @@
+commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb
+Author: Jiri Vanek <jvanek@redhat.com>
+Date:   Fri Jun 28 16:05:35 2019 +0200
+
+    All files, except signaturre files, are now  checked for signatures
+
+diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+index 759bedfb..cabfb3c5 100644
+--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
++++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+@@ -41,6 +41,7 @@
+ import java.util.Map;
+ import java.util.Vector;
+ import java.util.jar.JarEntry;
++import java.util.regex.Pattern;
+ 
+ import net.sourceforge.jnlp.JARDesc;
+ import net.sourceforge.jnlp.JNLPFile;
+@@ -67,6 +68,7 @@
+ public class JarCertVerifier implements CertVerifier {
+ 
+     private static final String META_INF = "META-INF/";
++    private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*");
+ 
+     // prefix for new signature-related files in META-INF directory
+     private static final String SIG_PREFIX = META_INF + "SIG-";
+@@ -500,12 +502,20 @@
+ 
+     /**
+      * Returns whether a file is in META-INF, and thus does not require signing.
+-     * 
++     * <p>
+      * Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA
+      */
+     static boolean isMetaInfFile(String name) {
+-        String ucName = name.toUpperCase();
+-        return ucName.startsWith(META_INF);
++        if (name.endsWith("class")) {
++            return false;
++        }
++        return name.startsWith(META_INF) && (
++                name.endsWith(".MF") ||
++                name.endsWith(".SF") ||
++                name.endsWith(".DSA") ||
++                name.endsWith(".RSA") ||
++                SIG.matcher(name).matches()
++        );
+     }
+ 
+     /**
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+index 4661fb87..44253e08 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+@@ -58,9 +58,22 @@ public class JarCertVerifierTest {
+     @Test
+     public void testIsMetaInfFile() {
+         final String METAINF = "META-INF";
++        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF"));
++        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF"));
++        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA"));
++        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA"));
++        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah"));
++
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class"));
++
+         assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename"));
+         assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename"));
+-        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
++        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+     }
+ 
+     class JarCertVerifierEntry extends JarEntry {

CVE-2019-10185.patch

@@ -0,0 +1,160 @@
+commit b4232ae35d2b86592a945a56c948f107fe7efabe
+Author: Jiri Vanek <jvanek@redhat.com>
+Date:   Wed Jun 26 13:46:45 2019 +0200
+
+    Nested jar, if by relative path point up, is stored as hashed
+
+diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+index a972eb8e..5c8652b6 100644
+--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
++++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+@@ -741,7 +741,7 @@
+         }
+     }
+ 
+-    private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
++    public static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
+         MessageDigest md = MessageDigest.getInstance("SHA-256");
+         byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
+         //convert the byte to hex format method 2
+diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+index e015f348..117163f3 100644
+--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
++++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+@@ -1340,7 +1340,11 @@
+                                         // (inline loading with "jar:..!/..." path will not work
+                                         // with standard classloader methods)
+ 
+-                                        String extractedJarLocation = localFile + ".nested/" + je.getName();
++                                        String name = je.getName();
++                                        if (name.contains("..")){
++                                            name=CacheUtil.hex(name, name);
++                                        }
++                                        String extractedJarLocation = localFile + ".nested/" + name;
+                                         File parentDir = new File(extractedJarLocation).getParentFile();
+                                         if (!parentDir.isDirectory() && !parentDir.mkdirs()) {
+                                             throw new RuntimeException(R("RNestedJarExtration"));
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+index 7580d23b..a20a1d8f 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+@@ -43,6 +43,8 @@
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.InputStream;
++import java.io.OutputStream;
++import net.sourceforge.jnlp.ResourcesDesc;
+ import java.net.URL;
+ import java.nio.charset.Charset;
+ import java.nio.file.Files;
+@@ -407,13 +409,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+         JNLPRuntime.setDebug(true);
+         try {
+             final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
+-            final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
+-                @Override
+-                protected void activateJars(List<JARDesc> jars) {
+-                    super.activateJars(jars);
+-                }
+-
+-            };
++            final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
+             InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
+             is1.close();
+             is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
+@@ -430,4 +426,74 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+ 
+     }
+ 
++    @Test
++    public void testRelativePathInNestedJars() throws Exception {
++        CacheUtil.clearCache();
++        int port = ServerAccess.findFreePort();
++        File dir = FileTestUtils.createTempDirectory();
++        dir.deleteOnExit();
++        File jar = new File(dir,"jar03_dotdotN1.jar");
++        File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
++        InputStream is1 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
++        InputStream is2 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
++        OutputStream fos1 = new FileOutputStream(jnlp);
++        OutputStream fos2 = new FileOutputStream(jar);
++        StreamUtils.copyStream(is1, fos1);
++        StreamUtils.copyStream(is2, fos2);
++        fos1.flush();;
++        fos2.flush();
++        fos1.close();
++        fos2.close();
++        ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
++        boolean verifyBackup = JNLPRuntime.isVerifying();
++        boolean trustBackup= JNLPRuntime.isTrustAll();
++        boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
++        boolean verbose= JNLPRuntime.isDebug();
++        JNLPRuntime.setVerify(false);
++        JNLPRuntime.setTrustAll(true);
++        JNLPRuntime.setSecurityEnabled(false);
++        JNLPRuntime.setDebug(true);
++        try {
++            //it is invalid jar, so we have to disable checks first
++            final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
++            final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
++
++            //ThreadGroup group = Thread.currentThread().getThreadGroup();
++            //ApplicationInstance app = new ApplicationInstance(jnlpFile, group, classLoader);
++            //classLoader.setApplication(app);
++            //app.initialize();
++
++            //this test is actually not testing mutch. The app must be accessing the nested jar in plugin-like way
++            InputStream is = classLoader.getResourceAsStream("application/abev/nyomtatvanyinfo/1965.teminfo.enyk");
++            is.close();
++            is = classLoader.getResourceAsStream("META-INF/MANIFEST.MF");
++            is.close();
++            is = classLoader.getResourceAsStream("META-INF/j1.jar");
++            is.close();
++            is = classLoader.getResourceAsStream("META-INF/../../jar01_to_be_injected.jar");
++            //the .. is not recognized correctly
++            //is.close();
++            //Class c = classLoader.getClass().forName("Hello1");
++            // in j1.jar
++            is = classLoader.getResourceAsStream("Hello1.class");
++            //is.close(); nested jar is not on defualt CP
++            //in  jar01
++            //c = classLoader.getClass().forName("com.devdaily.FileUtilities");
++            is = classLoader.getResourceAsStream("com/devdaily/FileUtilities.class");
++            // is.close(); nested jar is not on defualt CP
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/jar_03_dotdot_jarN1.jnlp").exists());
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar").exists());
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/99a90686bfbe84e3f9dbeed8127bba85672ed73688d3c69191aa1ee70916a.jar").exists());
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/META-INF/j1.jar").exists());
++        } finally {
++            JNLPRuntime.setVerify(verifyBackup);
++            JNLPRuntime.setTrustAll(trustBackup);
++            JNLPRuntime.setSecurityEnabled(securityBAckup);
++            JNLPRuntime.setDebug(verbose);
++            as.stop();
++        }
++
++    }
++
++
+ }
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
+new file mode 100644
+index 00000000..71bdea87
+--- /dev/null
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
+@@ -0,0 +1,15 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<jnlp spec="6.0+" >
++
++<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
++
++<security><all-permissions/></security>
++
++<resources>
++  <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
++  <jar href="jar03_dotdotN1.jar" version="2.0"/>
++</resources>
++
++<application-desc main-class="http://localhost/jar01.jar!META-INF/jar01_to_be_injected.jar!METAxINF.Test" />
++
++</jnlp>

PreventiveleQueue.patch

@@ -0,0 +1,23 @@
+commit 5437234c59f6c375a8ad0b07f93d459eefd571ba
+Author: Jiri Vanek <jvanek@redhat.com>
+Date:   Tue Jul 9 12:10:39 2019 +0200
+
+    Preventively, hash also .. in queue
+
+diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+index 5c8652b6..15e8865c 100644
+--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
++++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+@@ -703,7 +703,11 @@ public class CacheUtil {
+             path.append(File.separatorChar);
+         }
+         String locationPath = location.getPath().replace('/', File.separatorChar);
+-        if (locationPath.contains("..")){
++        String query = "";
++        if (location.getQuery() != null) {
++            query = location.getQuery();
++        }
++        if (locationPath.contains("..") || query.contains("..")){
+             try {
+                 /**
+                  * if path contains .. then it can harm lcoal system

README.en.md

@@ -1,36 +0,0 @@
-# icedtea-web
-
-#### Description
-{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
-
-#### Software Architecture
-Software architecture description
-
-#### Installation
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Instructions
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Contribution
-
-1.  Fork the repository
-2.  Create Feat_xxx branch
-3.  Commit your code
-4.  Create Pull Request
-
-
-#### Gitee Feature
-
-1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
-2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
-3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
-4.  The most valuable open source project [GVP](https://gitee.com/gvp)
-5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
-6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

README.md

@@ -1,39 +0,0 @@
-# icedtea-web
-
-#### 介绍
-{**以下是码云平台说明，您可以替换此简介**
-码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
-无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
-
-#### 软件架构
-软件架构说明
-
-
-#### 安装教程
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 使用说明
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 参与贡献
-
-1.  Fork 本仓库
-2.  新建 Feat_xxx 分支
-3.  提交代码
-4.  新建 Pull Request
-
-
-#### 码云特技
-
-1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
-2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
-3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
-4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
-5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
-6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

icedtea-web.spec

@@ -1,57 +1,67 @@
-%define javaver         1.8.0
-%define priority        18000
-%define gurlhandler     /desktop/gnome/url-handlers
-%define jnlphandler     %{gurlhandler}/jnlp
-%define jnlpshandler    %{gurlhandler}/jnlps
-%define javadir         %{_jvmdir}/java-%{javaver}-openjdk
-%define jredir          %{_jvmdir}/jre-%{javaver}-openjdk
-%define binsuffix       .itweb
-%define preffered_java  java-%{javaver}-openjdk
+%define javaver        1.8.0
+%define priority       18000
+%define gurlhandler    /desktop/gnome/url-handlers
+%define jnlphandler    %{gurlhandler}/jnlp
+%define jnlpshandler   %{gurlhandler}/jnlps
+%define javadir        %{_jvmdir}/java-%{javaver}-openjdk
+%define jredir         %{_jvmdir}/jre-%{javaver}-openjdk
+%define binsuffix      .itweb
+%define preffered_java java-%{javaver}-openjdk
+%global debug_package  %{nil}
+Name:                icedtea-web
+Version:             1.8
+Release:             3
+Summary:	     Free Software web browser plugin running Java applets
+License:             LGPLv2+ and GPLv2 with exceptions
+URL:                 http://icedtea.classpath.org/wiki/IcedTea-Web
+Source0:             http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
+Patch0000:           patchOutDunce.patch
+Patch0001:           CVE-2019-10181.patch
+Patch0002:           CVE-2019-10182.patch
+Patch0003:           CVE-2019-10185.patch
+Patch0004:           PreventiveleQueue.patch
+Patch0011:           CVE-2019-10181-bin.patch
+Patch0033:           CVE-2019-10185-bin.patch
+Patch0005:           testTuning.patch
 
-Name:           icedtea-web
-Version:        1.7.1
-Release:        11
-Summary:        Free Software web browser plugin running Java applets
-License:        LGPLv2+ and GPLv2 with exceptions
-URL:            http://icedtea.classpath.org/wiki/IcedTea-Web
-Source0:        http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
+BuildRequires:       javapackages-tools javapackages-local %{preffered_java}-devel
+BuildRequires:       desktop-file-utils glib2-devel autoconf automake 	cargo junit hamcrest
+BuildRequires:       libappstream-glib tagsoup git
+Requires:            %{preffered_java} javapackages-tools  tagsoup
+Recommends:          bash-completion
 
-BuildArch:      noarch
-BuildRequires:  gcc-c++ junit hamcrest libappstream-glib tagsoup
-BuildRequires:  desktop-file-utils glib2-devel autoconf automake gcc
-BuildRequires:  javapackages-tools javapackages-local %{preffered_java}-devel
-Requires:       mozilla-filesystem%{?_isa}
-Requires:       %{preffered_java} javapackages-tools tagsoup
-Recommends:     bash-completion
+Requires(post):      chkconfig >= 1.7 GConf2
+Requires(post):      javapackages-tools %{_sbindir}/alternatives
 
-Requires(post): chkconfig >= 1.7 GConf2
-Requires(post): javapackages-tools %{_sbindir}/alternatives
-Requires(postun): javapackages-tools GConf2
-Requires(postun): %{_sbindir}/alternatives chkconfig >= 1.7
+Requires(postun):    chkconfig >= 1.7 GConf2
+Requires(postun):    javapackages-tools %{_sbindir}/alternatives
 
-Provides:       java-plugin = 1:%{javaver} javaws = 1:%{javaver}
-Provides:       %{preffered_java}-plugin = 1:%{version}
-Provides:       %{name}-javadoc = %{version}-%{release}
-Obsoletes:      %{name}-javadoc < %{version}-%{release}
+Provides:            javaws = 1:%{javaver}
+Provides:            %{preffered_java}-javaws = 1:%{version}
 
 %description
-The IcedTea-Web project provides a Free Software web browser plugin
-for running applets written in the Java programming language and an
-implementation of Java Web Start, originally based on the NetX
-project.
+The IcedTea-Web project provides a Free Software web browser plugin for running applets written in the Java programming language and an implementation of Java Web Start, originally based on the NetX project.
 
 %package devel
-Summary:    Header files for ${name}
-Requires:   %{name} = %{version}-%{release}
-BuildArch:  noarch
+Summary:             Header files for icedtea-web
+Requires:            %{name} = %{version}-%{release}
+BuildArch:           noarch
 
 %description devel
-Header files for ${name}.
+Header files for icedtea-web.
 
-%package_help
+%package help
+Summary:             Help documents for icedtea-web
+Requires:            %{name} = %{version}-%{release}
+Provides:            %{name}-javadoc = %{version}-%{release}
+Obsoletes:           %{name}-javadoc < %{version}-%{release}
+BuildArch:           noarch
+
+%description help
+Help documents for icedtea-web.
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -n %{name}-%{version} -p1 -S git
 
 %build
 autoreconf -vfi
@@ -64,19 +74,19 @@ CXXFLAGS="$RPM_OPT_FLAGS $RPM_LD_FLAGS" \
     --libdir=%{_libdir} \
     --program-suffix=%{binsuffix} \
     --disable-native-plugin \
+    --with-itw-libs=DISTRIBUTION \
+    --with-modularjdk-file=%{_sysconfdir}/java/%{name}    \
     --prefix=%{_prefix}
 %make_build
 
 %install
 %make_install
 
-mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d/
-mv completion/javaws.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
+install -d %{buildroot}%{_sysconfdir}/bash_completion.d/
 mv completion/policyeditor.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
+mv completion/javaws.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
 mv completion/itweb-settings.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
-
 mv %{buildroot}/%{_mandir}/man1/javaws.1 %{buildroot}/%{_mandir}/man1/javaws.itweb.1
-
 install -d -m 755 %{buildroot}%{_datadir}/{applications,pixmaps}
 desktop-file-install --vendor ''\
   --dir %{buildroot}%{_datadir}/applications javaws.desktop
@@ -85,28 +95,28 @@ desktop-file-install --vendor ''\
 desktop-file-install --vendor ''\
   --dir %{buildroot}%{_datadir}/applications policyeditor.desktop
 
-DESTDIR=%{buildroot} appstream-util install metadata/%{name}.metainfo.xml
-DESTDIR=%{buildroot} appstream-util install metadata/%{name}-javaws.appdata.xml
+DESTDIR=%{buildroot} appstream-util install metadata/icedtea-web.metainfo.xml
+DESTDIR=%{buildroot} appstream-util install metadata/icedtea-web-javaws.appdata.xml
 
-mkdir -p %{buildroot}%{_javadir}
-pushd %{buildroot}%{_javadir}
-ln -s ../%{name}/netx.jar %{name}.jar
-ln -s ../%{name}/plugin.jar %{name}-plugin.jar
-popd
-mkdir -p %{buildroot}/%{_mavenpomdir}
-cp metadata/%{name}.pom %{buildroot}/%{_mavenpomdir}/%{name}.pom
-cp metadata/%{name}-plugin.pom %{buildroot}/%{_mavenpomdir}/%{name}-plugin.pom
+install -d %{buildroot}%{_javadir}
+cd %{buildroot}%{_javadir}
+ln -s ../icedtea-web/javaws.jar icedtea-web.jar
+ln -s ../icedtea-web/plugin.jar icedtea-web-plugin.jar
+cd -
 
-%add_maven_depmap %{name}.pom %{name}.jar
-%add_maven_depmap %{name}-plugin.pom %{name}-plugin.jar
+install -d %{buildroot}/%{_mavenpomdir}
+cp metadata/icedtea-web.pom %{buildroot}/%{_mavenpomdir}/icedtea-web.pom
+cp metadata/icedtea-web-plugin.pom %{buildroot}/%{_mavenpomdir}/icedtea-web-plugin.pom
 
-cp netx.build/lib/src.zip %{buildroot}%{_datadir}/%{name}/netx.src.zip
-cp liveconnect/lib/src.zip %{buildroot}%{_datadir}/%{name}/plugin.src.zip
+%add_maven_depmap icedtea-web.pom icedtea-web.jar
+%add_maven_depmap icedtea-web-plugin.pom icedtea-web-plugin.jar
 
-%find_lang %{name} --all-name --with-man
+cp  netx.build/lib/src.zip %{buildroot}%{_datadir}/icedtea-web/javaws.src.zip
+cp liveconnect/lib/src.zip %{buildroot}%{_datadir}/icedtea-web/plugin.src.zip
+%find_lang icedtea-web --all-name --with-man
 
 %check
-#make check
+make check
 appstream-util validate %{buildroot}/%{_datadir}/appdata/*.xml || :
 
 %post
@@ -115,12 +125,12 @@ alternatives \
   --family  %{preffered_java}.%{_arch} \
   --slave   %{_bindir}/itweb-settings itweb-settings %{_prefix}/bin/itweb-settings%{binsuffix} \
   --slave   %{_bindir}/policyeditor policyeditor %{_prefix}/bin/policyeditor%{binsuffix} \
-  --slave   %{_bindir}/ControlPanel ControlPanel %{_prefix}/bin/itweb-settings%{binsuffix} \
-  --slave   %{_mandir}/man1/javaws.1.gz javaws.1.gz %{_mandir}/man1/javaws%{binsuffix}.1.gz \
-  --slave   %{_mandir}/man1/ControlPanel.1.gz ControlPanel.1.gz %{_mandir}/man1/itweb-settings.1.gz
+  --slave   %{_bindir}/ControlPanel	ControlPanel %{_prefix}/bin/itweb-settings%{binsuffix} \
+  --slave   %{_mandir}/man1/javaws.1.gz	javaws.1.gz	%{_mandir}/man1/javaws%{binsuffix}.1.gz \
+  --slave   %{_mandir}/man1/ControlPanel.1.gz ControlPanel.1.gz	%{_mandir}/man1/itweb-settings.1.gz
 
-gconftool-2 -s %{jnlphandler}/command  '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || :
-gconftool-2 -s %{jnlphandler}/enabled  --type Boolean true &> /dev/null || :
+gconftool-2 -s  %{jnlphandler}/command  '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || :
+gconftool-2 -s  %{jnlphandler}/enabled  --type Boolean true &> /dev/null || :
 gconftool-2 -s %{jnlpshandler}/command '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || :
 gconftool-2 -s %{jnlpshandler}/enabled --type Boolean true &> /dev/null || :
 
@@ -133,38 +143,36 @@ update-desktop-database &> /dev/null || :
 if [ $1 -eq 0 ]
 then
   alternatives --remove javaws %{_prefix}/bin/javaws%{binsuffix}
-  gconftool-2 -u %{jnlphandler}/command &> /dev/null || :
-  gconftool-2 -u %{jnlphandler}/enabled &> /dev/null || :
+  gconftool-2 -u  %{jnlphandler}/command &> /dev/null || :
+  gconftool-2 -u  %{jnlphandler}/enabled &> /dev/null || :
   gconftool-2 -u %{jnlpshandler}/command &> /dev/null || :
   gconftool-2 -u %{jnlpshandler}/enabled &> /dev/null || :
 fi
 exit 0
 
-%files
-%defattr(-,root,root)
+%files -f .mfiles -f icedtea-web.lang
 %license COPYING
 %{_sysconfdir}/bash_completion.d/*
-%{_bindir}/*
-%dir %{_datadir}/%{name}
-%{_datadir}/%{name}/*.jar
-%{_datadir}/%{name}/*.png
-%{_datadir}/appdata/*.xml
-%{_datadir}/pixmaps/*
-%{_datadir}/java/*
-%{_datadir}/javadoc/*
-%{_datadir}/maven-poms/*
+%config(noreplace) %{_sysconfdir}/java/icedtea-web/itw-modularjdk.args
+%{_prefix}/bin/*
 %{_datadir}/applications/*
-%{_datadir}/maven-metadata/*
+%{_datadir}/icedtea-web/*.jar
+%{_datadir}/icedtea-web/*.png
+%{_datadir}/pixmaps/*
+%{_datadir}/appdata/*.xml
 
 %files devel
-%defattr(-,root,root)
-%{_datadir}/%{name}/*.zip
+%license COPYING
+%{_datadir}/icedtea-web/*.zip
 
 %files help
-%doc NEWS README
-%defattr(-,root,root)
-%{_mandir}/*
+%doc COPYING NEWS README
+%{_datadir}/javadoc/icedtea-web
+%{_datadir}/man/man1/*
 
 %changelog
+* Mon Jun 8 2020 yaokai13 <yaokai13@huawei.com> - 1.8-3
+- Update to 1.8.3
+
 * Fri Feb 14 2020 wangzhishun1<wangzhishun1@huawei.com> - 1.7.1-11
 - Package init

patchOutDunce.patch

@@ -0,0 +1,11 @@
+--- a/rust-launcher/cc.toml
++++ b/rust-launcher/Cargo.toml
+@@ -2,7 +2,3 @@
+ name = "launcher"
+ version = "1.8.0"
+ authors = ["https://icedtea.classpath.org/wiki/IcedTea-Web"]
+-
+-[dependencies]
+-[target.'cfg(windows)'.dependencies]
+-dunce = "0.1.1"
+

testTuning.patch

@@ -0,0 +1,210 @@
+diff --git a/ChangeLog b/ChangeLog
+index ae837f39..014ac3ac 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,29 @@
++2019-06-26  Jiri Vanek <jvanek@redhat.com>
++
++	All files, except signaturre files, are now  checked for signatures - CVE-2019-10181
++	* b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not
++	checked for signature. Now only signature files are skipped
++	* tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from 
++	signature check
++
++2019-06-26  Jiri Vanek <jvanek@redhat.com>
++
++	Nested jar, if by relative path point up, is stored as hashed - CVE-2019-10185
++	* tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".."
++	* tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar
++	* netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader
++	* netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed
++
++2019-06-26  Jiri Vanek <jvanek@redhat.com>
++
++	Fixed bug when relative path (..) could leak up (even out of cache) - CVE-2019-10182
++	* netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash 
++	* netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux
++	* tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing
++	* tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java:  added test for .. in path. Added test
++	that verifies encoded .. (%2E%2E) do not leak from cahce
++	* tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url
++
+ 2019-03-12  Lars Herschke <lhersch@dssgmbh.de>
+ 
+ 	Hidden console on Windows
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+index 6b0cd256..5dbf2d69 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+@@ -135,6 +135,14 @@ public class CacheUtilTest {
+         File r = CacheUtil.urlToPath(u, "/tmp/");
+         Assert.assertEquals(expected, r);
+     }
++
++    @Test
++    public void testQueryGotHAshedToo() throws Exception {
++        final URL u = new URL("https://example2.com/something/my.jar?../../harm");
++        final File expected = new File("/tmp/https/example2.com/2844b3c690ea355159ed61de6e727f2e9169ab55bf58b8fa3f4b64f6a25bd7.jar");
++        File r = CacheUtil.urlToPath(u, "/tmp/");
++        Assert.assertEquals(expected, r);
++    }
+     
+     
+     @Test
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+index 2b28fb93..d86786ab 100644
+--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+@@ -405,6 +405,8 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+         JNLPRuntime.setTrustAll(true);
+         JNLPRuntime.setSecurityEnabled(false);
+         JNLPRuntime.setDebug(true);
++        String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
++        JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
+         try {
+             final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
+             final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
+@@ -419,6 +421,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+             JNLPRuntime.setTrustAll(trustBackup);
+             JNLPRuntime.setSecurityEnabled(securityBAckup);
+             JNLPRuntime.setDebug(verbose);
++            JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
+             as.stop();
+         }
+ 
+@@ -451,6 +454,11 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+         JNLPRuntime.setTrustAll(true);
+         JNLPRuntime.setSecurityEnabled(false);
+         JNLPRuntime.setDebug(true);
++        //fix of "All files, except signaturre files, are now  checked for signatures" make this actually correctly failing ahead of time
++        String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
++        JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "true");
++        String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
++        JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
+         try {
+             //it is invalid jar, so we have to disable checks first
+             final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
+@@ -488,10 +496,102 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
+             JNLPRuntime.setTrustAll(trustBackup);
+             JNLPRuntime.setSecurityEnabled(securityBAckup);
+             JNLPRuntime.setDebug(verbose);
++            JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
++            JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
+             as.stop();
+         }
+ 
+     }
+ 
++    @Test(expected = Exception.class)
++    public void testDifferentSignatureInManifestMf() throws Exception {
++        CacheUtil.clearCache();
++        int port = ServerAccess.findFreePort();
++        File dir = FileTestUtils.createTempDirectory();
++        dir.deleteOnExit();
++        File jar = new File(dir,"jar03_dotdotN1.jar");
++        File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
++        InputStream is1 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
++        InputStream is2 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
++        OutputStream fos1 = new FileOutputStream(jnlp);
++        OutputStream fos2 = new FileOutputStream(jar);
++        StreamUtils.copyStream(is1, fos1);
++        StreamUtils.copyStream(is2, fos2);
++        fos1.flush();;
++        fos2.flush();
++        fos1.close();
++        fos2.close();
++        ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
++        boolean verifyBackup = JNLPRuntime.isVerifying();
++        boolean trustBackup= JNLPRuntime.isTrustAll();
++        boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
++        boolean verbose= JNLPRuntime.isDebug();
++        JNLPRuntime.setVerify(false);
++        JNLPRuntime.setTrustAll(true);
++        JNLPRuntime.setSecurityEnabled(false);
++        JNLPRuntime.setDebug(true);
++        String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
++        JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "false");
++        try {
++            //it is invalid jar, so we have to disable checks first
++            final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
++            final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
++        } finally {
++            JNLPRuntime.setVerify(verifyBackup);
++            JNLPRuntime.setTrustAll(trustBackup);
++            JNLPRuntime.setSecurityEnabled(securityBAckup);
++            JNLPRuntime.setDebug(verbose);
++            JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
++            as.stop();
++        }
++
++    }
++
++    @Test
++    public void testEncodedPathIsNotDecodedForCache() throws Exception {
++        CacheUtil.clearCache();
++        int port = ServerAccess.findFreePort();
++        File dir = FileTestUtils.createTempDirectory();
++        dir.deleteOnExit();
++        dir = new File(dir,"base");
++        dir.mkdir();
++        File jar = new File(dir,"j1.jar");
++        File jnlp = new File(dir+"/a/b/upEncoded.jnlp");
++        jnlp.getParentFile().mkdirs();
++        InputStream is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/upEncoded.jnlp");
++        String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
++        is.close();
++        jnlpString = jnlpString.replaceAll("8080", ""+port);
++        is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
++        StreamUtils.copyStream(is, new FileOutputStream(jar));
++        Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
++        ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
++        boolean verifyBackup = JNLPRuntime.isVerifying();
++        boolean trustBackup= JNLPRuntime.isTrustAll();
++        boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
++        boolean verbose= JNLPRuntime.isDebug();
++        JNLPRuntime.setVerify(false);
++        JNLPRuntime.setTrustAll(true);
++        JNLPRuntime.setSecurityEnabled(false);
++        JNLPRuntime.setDebug(true);
++        try {
++            final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/upEncoded.jnlp"));
++            final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
++            InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
++            is1.close();
++            is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
++            is1.close();
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/upEncoded.jnlp").exists());
++            //be aware; if decoding ever come in play here, thios will leak out of cache folder. Thus harm user system. See fix for " Fixed bug when relative path (..) could leak up (even out of cache)"
++            Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/%2E%2E/%2E%2E/%2E%2E/base").exists());
++        } finally {
++            JNLPRuntime.setVerify(verifyBackup);
++            JNLPRuntime.setTrustAll(trustBackup);
++            JNLPRuntime.setSecurityEnabled(securityBAckup);
++            JNLPRuntime.setDebug(verbose);
++            as.stop();
++        }
++
++    }
+ 
+ }
+diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
+new file mode 100644
+index 00000000..f0658bbc
+--- /dev/null
++++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
+@@ -0,0 +1,15 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<jnlp spec="6.0+" codebase=".">
++
++  <information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
++
++
++  <resources>
++    <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
++    <!-- absolute url is a must -->
++    <jar href="http://localhost:8080/%2E%2E/%2E%2E/%2E%2E/base/j1.jar" version="2.0"/>
++  </resources>
++
++  <application-desc main-class="Hello1" />
++
++</jnlp>