packages/icedtea-web
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.8.3

Browse Source
This commit is contained in:
yaokai13 2020-06-08 16:47:19 +08:00
parent eac11b1ce4
commit f9609e63fd
13 changed files with 6636 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2019-10181-bin.patch Normal file
View File

@ -0,0 +1,29 @@
commit 78cf73473dda5ceee3eecda5169621f36b93c3db
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jun 18 15:37:47 2019 +0200
Fixed bug when relative path (..) could leak up (even out of cache)
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar b/tests/netx/unit/net/sourceforge/jnlp/runtime/j1.jar
new file mode 100644
index 0000000000000000000000000000000000000000..080383629e9349101b25ad3b33b9950f456c4e8e
GIT binary patch
literal 940
zcmWIWW@Zs#VBp|jI8$@gj{yjnKm-tQGO#fCx`sIFdiuHP|2xINz|0VUqL}B}?nD=$
zLRTOL8i7#k>*(j{<{BKL=j-;__snS@Z(Y5MyxzK6=gyqp9At3C_`%a6JuhD!Pv48B
zt5`TAUPvC1mXy-W_#v*U_I!z!#dC4dC*rEp7_Mf2D*9N&h-B+wpcBjVOyp!385rgO
zF%QsIkJOx;d_%qDoW$bd+yGzi!wv$qm(}j7^={j?tnS+b#|}B3rtMwgjy58qN^v%-
zr7NR9DH;m?;ru6Kt5NZR{m0@XH$ya>z8h@*d~f#5?Z5wi{>l1)gISt)i*Ct=OD@;l
z_*XNnbC`d@B5b9WA4h5a`?iERY2}kH$gK>Co8qbR`L#ipq~WB1r7io)t!K6QFO+Y8
zd4#_!X6fXGd0U#-oH_o<C$sQ%%(23<iUm{oSY|P0^Ih9`@b^1yuY}77#kNV#$mE>+
z^UmoEt>Z`SH7e?KQVyAIp2S(6=9KzR)LP?4JI`drh1(g_I@n{6=G^}(w(~fj&p(CQ
zEQPnz7azUaU|eYS-QHn+&BOAdoDhYFthyHUm+r0--Ec49^|kwnXP%k`HyjN1b(^+I
z_w;^f+%a%4>;;D6o#rRf3Bb_H24Zdo8CWQ0C6*<IhHx@4Z@tSCJEv4AwzPtqfsy3}
zGXn!lJ5Z^%hVQA9K4Bi`JazQKK6soxdD1*&#j{620U8Y+BGXl-F|6G5=Zr|}og-&#
zdLK+$bY@S9t*veAkwssU&SotLQs7vpqvv_{>S=x5i`opQrayU-sgc^?8+>UCo7T#w
ztDZ6eqneRP1eBO?q(`6=kN`^RMAwR*IuZJGflRnoq_m1`0=ATfFkvx}iJb00I^~!_
tc>r7JN`N&2lPklL#+N_}suL2{tdOuq3+DiDRyL3>79ivRYUu-KN&w$EG4%id
literal 0
HcmV?d00001

323
CVE-2019-10181.patch Normal file
View File

@ -0,0 +1,323 @@
commit 78cf73473dda5ceee3eecda5169621f36b93c3db
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jun 18 15:37:47 2019 +0200
Fixed bug when relative path (..) could leak up (even out of cache)
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -696,46 +696,68 @@
path.append(location.getPort());
path.append(File.separatorChar);
}
- path.append(location.getPath().replace('/', File.separatorChar));
- if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
- path.append(".").append(location.getQuery());
- }
-
- File candidate = new File(FileUtils.sanitizePath(path.toString()));
- if (candidate.getName().length() > 255) {
- /**
- * When filename is longer then 255 chars, then then various
- * filesytems have issues to save it. By saving the file by its
- * summ, we are trying to prevent collision of two files differs in
- * suffixes (general suffix of name, not only 'filetype suffix')
- * only. It is also preventing bug when truncate (files with 1000
- * chars hash in query) cuts to much.
- */
+ String locationPath = location.getPath().replace('/', File.separatorChar);
+ if (locationPath.contains("..")){
try {
- MessageDigest md = MessageDigest.getInstance("SHA-256");
- byte[] sum = md.digest(candidate.getName().getBytes(StandardCharsets.UTF_8));
- //convert the byte to hex format method 2
- StringBuilder hexString = new StringBuilder();
- for (int i = 0; i < sum.length; i++) {
- hexString.append(Integer.toHexString(0xFF & sum[i]));
- }
- String extension = "";
- int i = candidate.getName().lastIndexOf('.');
- if (i > 0) {
- extension = candidate.getName().substring(i);//contains dot
- }
- if (extension.length() < 10 && extension.length() > 1) {
- hexString.append(extension);
- }
- candidate = new File(candidate.getParentFile(), hexString.toString());
+ /**
+ * if path contains .. then it can harm lcoal system
+ * So without mercy, hash it
+ */
+ String hexed = hex(new File(locationPath).getName(), locationPath);
+ return new File(path.toString(), hexed.toString());
} catch (NoSuchAlgorithmException ex) {
- // should not occure, cite from javadoc:
- // every java iomplementation should support
+ // should not occur, cite from javadoc:
+ // every java implementation should support
// MD5 SHA-1 SHA-256
throw new RuntimeException(ex);
}
- }
- return candidate;
+ } else {
+ path.append(locationPath);
+ if (location.getQuery() != null && !location.getQuery().trim().isEmpty()) {
+ path.append(".").append(location.getQuery());
+ }
+
+ File candidate = new File(FileUtils.sanitizePath(path.toString()));
+ try {
+ if (candidate.getName().length() > 255) {
+ /**
+ * When filename is longer then 255 chars, then then various
+ * filesystems have issues to save it. By saving the file by its
+ * sum, we are trying to prevent collision of two files differs in
+ * suffixes (general suffix of name, not only 'filetype suffix')
+ * only. It is also preventing bug when truncate (files with 1000
+ * chars hash in query) cuts to much.
+ */
+ String hexed = hex(candidate.getName(), candidate.getName());
+ candidate = new File(candidate.getParentFile(), hexed.toString());
+ }
+ } catch (NoSuchAlgorithmException ex) {
+ // should not occur, cite from javadoc:
+ // every java implementation should support
+ // MD5 SHA-1 SHA-256
+ throw new RuntimeException(ex);
+ }
+ return candidate;
+ }
+ }
+
+ private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
+ MessageDigest md = MessageDigest.getInstance("SHA-256");
+ byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
+ //convert the byte to hex format method 2
+ StringBuilder hexString = new StringBuilder();
+ for (int i = 0; i < sum.length; i++) {
+ hexString.append(Integer.toHexString(0xFF & sum[i]));
+ }
+ String extension = "";
+ int i = origName.lastIndexOf('.');
+ if (i > 0) {
+ extension = origName.substring(i);//contains dot
+ }
+ if (extension.length() < 10 && extension.length() > 1) {
+ hexString.append(extension);
+ }
+ return hexString.toString();
}
/**
diff --git a/netx/net/sourceforge/jnlp/util/FileUtils.java b/netx/net/sourceforge/jnlp/util/FileUtils.java
index 89216375..a5356e08 100644
--- a/netx/net/sourceforge/jnlp/util/FileUtils.java
+++ b/netx/net/sourceforge/jnlp/util/FileUtils.java
@@ -183,6 +183,13 @@
*/
public static void createParentDir(File f, String eMsg) throws IOException {
File parent = f.getParentFile();
+ // warning, linux and windows behave differently. Below snippet will pass on win(security hole), fail on linux
+ // warning mkdir is canonicaling, but exists/isDirectory is not. So where mkdirs return true, and really creates dir, isDirectory can still return false
+ // can be seen on this example
+ // mkdirs /a/b/../c
+ // where b do not exists will lead creation of /a/c
+ // but exists on /a/b/../c is false on linux even afterwards
+ // without hexing of .. paths,
if (!parent.isDirectory() && !parent.mkdirs()) {
throw new IOException(R("RCantCreateDir",
eMsg == null ? parent : eMsg));
diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
index 6422246b..0d2d9811 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
@@ -88,6 +88,53 @@ public class CacheUtilTest {
final File expected = new File("/tmp/https/example.com/5050/applet/e4f3cf11f86f5aa33f424bc3efe3df7a9d20837a6f1a5bbbc60c1f57f3780a4");
Assert.assertEquals(expected, CacheUtil.urlToPath(u, "/tmp"));
}
+
+ @Test
+ public void tesPathUpNoGoBasic() throws Exception {
+ final URL u = new URL("https://example.com/applet/../my.jar");
+ final File expected = new File("/tmp/https/example.com/abca4723622ed60db3dea12cbe2402622a74f7a49b73e23b55988e4eee5ded.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicLong() throws Exception {
+ final URL u = new URL("https://example.com/applet/../my.jar.q_SlNFU1NJT05JRD02OUY1ODVCNkJBOTM1NThCQjdBMTA5RkQyNDZEQjEwRi5wcm9kX3RwdG9tY2F0MjE1X2p2bTsgRW50cnVzdFRydWVQYXNzUmVkaXJlY3RVcmw9Imh0dHBzOi8vZWZzLnVzcHRvLmdvdi9FRlNXZWJVSVJlZ2lzdGVyZWQvRUZTV2ViUmVnaXN0ZXJlZCI7IFRDUFJPRFBQQUlSc2Vzc2lvbj02MjIxMjk0MTguMjA0ODAuMDAwMA\"");
+ final File expected = new File("/tmp/https/example.com/ec97413e3f6eee8215ecc8375478cc1ae5f44f18241b9375361d5dfcd7b0ec");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasic2() throws Exception {
+ final URL u = new URL("https://example.com/../my.jar");
+ final File expected = new File("/tmp/https/example.com/eb1a56bed34523dbe7ad84d893ebc31a8bbbba9ce3f370e42741b6a5f067c140.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicEvil() throws Exception {
+ final URL u = new URL("https://example.com/../../my.jar");
+ final File expected = new File("/tmp/https/example.com/db464f11d68af73e37eefaef674517b6be23f0e4a5738aaee774ecf5b58f1bfc.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+
+ @Test
+ public void tesPathUpNoGoBasicEvil2() throws Exception {
+ final URL u = new URL("https://example.com:99/../../../my.jar");
+ final File expected = new File("/tmp/https/example.com/99/95401524c345e0d554d4d77330e86c98a77b9bb58a0f93094204df446b356.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
+ @Test
+ public void tesPathUpNoGoBasicEvilest() throws Exception {
+ final URL u = new URL("https://example2.com/something/../../../../../../../../../../../my.jar");
+ final File expected = new File("/tmp/https/example2.com/a8df64388f5b84d5f635e4d6dea5f4d2f692ae5381f8ec6736825ff8d6ff2c0.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
@Test
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 100d9150..7580d23b 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -43,6 +43,8 @@
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
+import java.net.URL;
+import java.nio.charset.Charset;
import java.nio.file.Files;
import java.util.Arrays;
import java.util.List;
@@ -55,6 +57,12 @@
import net.sourceforge.jnlp.browsertesting.browsers.firefox.FirefoxProfilesOperator;
import net.sourceforge.jnlp.cache.UpdatePolicy;
import net.sourceforge.jnlp.config.DeploymentConfiguration;
+import net.sourceforge.jnlp.config.PathsAndFiles;
+import net.sourceforge.jnlp.JNLPFile;
+import net.sourceforge.jnlp.ServerAccess;
+import net.sourceforge.jnlp.ServerLauncher;
+import net.sourceforge.jnlp.util.StreamUtils;
+import net.sourceforge.jnlp.cache.CacheUtil;
import net.sourceforge.jnlp.mock.DummyJNLPFileWithJar;
import net.sourceforge.jnlp.security.appletextendedsecurity.AppletSecurityLevel;
import net.sourceforge.jnlp.security.appletextendedsecurity.AppletStartupSecuritySettings;
@@ -65,6 +73,7 @@
import org.junit.BeforeClass;
import org.junit.Test;
+import org.junit.Ignore;
public class JNLPClassLoaderTest extends NoStdOutErrTest {
@@ -138,7 +147,8 @@
File tempDirectory = FileTestUtils.createTempDirectory();
File jarLocation = new File(tempDirectory, "test.jar");
- /* Test with main-class in manifest */ {
+ /* Test with main-class in manifest */
+ {
Manifest manifest = new Manifest();
manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, "DummyClass");
FileTestUtils.createJarWithContents(jarLocation, manifest);
@@ -156,8 +166,10 @@
}
@Test
+ @Ignore
public void getMainClassNameTestEmpty() throws Exception {
- /* Test with-out any main-class specified */ {
+ /* Test with-out any main-class specified */
+ {
File tempDirectory = FileTestUtils.createTempDirectory();
File jarLocation = new File(tempDirectory, "test.jar");
FileTestUtils.createJarWithContents(jarLocation /* No contents */);
@@ -363,4 +375,57 @@
}
}
+
+ @Test
+ public void testRelativePathInUrl() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ dir = new File(dir,"base");
+ dir.mkdir();
+ File jar = new File(dir,"j1.jar");
+ File jnlp = new File(dir+"/a/b/up.jnlp");
+ jnlp.getParentFile().mkdirs();
+ InputStream is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/up.jnlp");
+ String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
+ is.close();
+ jnlpString = jnlpString.replaceAll("8080", ""+port);
+ is = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
+ StreamUtils.copyStream(is, new FileOutputStream(jar));
+ Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
+ ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
+ final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
+ @Override
+ protected void activateJars(List<JARDesc> jars) {
+ super.activateJars(jars);
+ }
+
+ };
+ InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
+ is1.close();
+ is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
+ is1.close();
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/up.jnlp").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/f812acb32c857fd916c842e2bf4fb32b9c3837ef63922b167a7e163305058b7.jar").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
+
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
new file mode 100644
index 00000000..b22fdfb7
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" codebase=".">
+
+<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+
+<resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+<!-- absolute url is a must -->
+ <jar href="http://localhost:8080/../../../base/j1.jar" version="2.0"/>
+</resources>
+
+<application-desc main-class="Hello1" />
+
+</jnlp>

78
CVE-2019-10182.patch Normal file
View File

@ -0,0 +1,78 @@
commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb
Author: Jiri Vanek <jvanek@redhat.com>
Date: Fri Jun 28 16:05:35 2019 +0200
All files, except signaturre files, are now checked for signatures
diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
index 759bedfb..cabfb3c5 100644
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
@@ -41,6 +41,7 @@
import java.util.Map;
import java.util.Vector;
import java.util.jar.JarEntry;
+import java.util.regex.Pattern;
import net.sourceforge.jnlp.JARDesc;
import net.sourceforge.jnlp.JNLPFile;
@@ -67,6 +68,7 @@
public class JarCertVerifier implements CertVerifier {
private static final String META_INF = "META-INF/";
+ private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*");
// prefix for new signature-related files in META-INF directory
private static final String SIG_PREFIX = META_INF + "SIG-";
@@ -500,12 +502,20 @@
/**
* Returns whether a file is in META-INF, and thus does not require signing.
- *
+ * <p>
* Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA
*/
static boolean isMetaInfFile(String name) {
- String ucName = name.toUpperCase();
- return ucName.startsWith(META_INF);
+ if (name.endsWith("class")) {
+ return false;
+ }
+ return name.startsWith(META_INF) && (
+ name.endsWith(".MF") ||
+ name.endsWith(".SF") ||
+ name.endsWith(".DSA") ||
+ name.endsWith(".RSA") ||
+ SIG.matcher(name).matches()
+ );
}
/**
diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
index 4661fb87..44253e08 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
@@ -58,9 +58,22 @@ public class JarCertVerifierTest {
@Test
public void testIsMetaInfFile() {
final String METAINF = "META-INF";
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah"));
+
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class"));
+
assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename"));
assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename"));
- assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
}
class JarCertVerifierEntry extends JarEntry {

5709
CVE-2019-10185-bin.patch Normal file
View File

File diff suppressed because it is too large Load Diff

160
CVE-2019-10185.patch Normal file
View File

@ -0,0 +1,160 @@
commit b4232ae35d2b86592a945a56c948f107fe7efabe
Author: Jiri Vanek <jvanek@redhat.com>
Date: Wed Jun 26 13:46:45 2019 +0200
Nested jar, if by relative path point up, is stored as hashed
diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
index a972eb8e..5c8652b6 100644
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -741,7 +741,7 @@
}
}
- private static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
+ public static String hex(String origName, String candidate) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8));
//convert the byte to hex format method 2
diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
index e015f348..117163f3 100644
--- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
@@ -1340,7 +1340,11 @@
// (inline loading with "jar:..!/..." path will not work
// with standard classloader methods)
- String extractedJarLocation = localFile + ".nested/" + je.getName();
+ String name = je.getName();
+ if (name.contains("..")){
+ name=CacheUtil.hex(name, name);
+ }
+ String extractedJarLocation = localFile + ".nested/" + name;
File parentDir = new File(extractedJarLocation).getParentFile();
if (!parentDir.isDirectory() && !parentDir.mkdirs()) {
throw new RuntimeException(R("RNestedJarExtration"));
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 7580d23b..a20a1d8f 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -43,6 +43,8 @@
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
+import java.io.OutputStream;
+import net.sourceforge.jnlp.ResourcesDesc;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
@@ -407,13 +409,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setDebug(true);
try {
final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
- final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) {
- @Override
- protected void activateJars(List<JARDesc> jars) {
- super.activateJars(jars);
- }
-
- };
+ final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
is1.close();
is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
@@ -430,4 +426,74 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
}
+ @Test
+ public void testRelativePathInNestedJars() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ File jar = new File(dir,"jar03_dotdotN1.jar");
+ File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
+ InputStream is1 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
+ InputStream is2 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
+ OutputStream fos1 = new FileOutputStream(jnlp);
+ OutputStream fos2 = new FileOutputStream(jar);
+ StreamUtils.copyStream(is1, fos1);
+ StreamUtils.copyStream(is2, fos2);
+ fos1.flush();;
+ fos2.flush();
+ fos1.close();
+ fos2.close();
+ ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ //it is invalid jar, so we have to disable checks first
+ final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
+ final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
+
+ //ThreadGroup group = Thread.currentThread().getThreadGroup();
+ //ApplicationInstance app = new ApplicationInstance(jnlpFile, group, classLoader);
+ //classLoader.setApplication(app);
+ //app.initialize();
+
+ //this test is actually not testing mutch. The app must be accessing the nested jar in plugin-like way
+ InputStream is = classLoader.getResourceAsStream("application/abev/nyomtatvanyinfo/1965.teminfo.enyk");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/MANIFEST.MF");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/j1.jar");
+ is.close();
+ is = classLoader.getResourceAsStream("META-INF/../../jar01_to_be_injected.jar");
+ //the .. is not recognized correctly
+ //is.close();
+ //Class c = classLoader.getClass().forName("Hello1");
+ // in j1.jar
+ is = classLoader.getResourceAsStream("Hello1.class");
+ //is.close(); nested jar is not on defualt CP
+ //in jar01
+ //c = classLoader.getClass().forName("com.devdaily.FileUtilities");
+ is = classLoader.getResourceAsStream("com/devdaily/FileUtilities.class");
+ // is.close(); nested jar is not on defualt CP
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/jar_03_dotdot_jarN1.jnlp").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/99a90686bfbe84e3f9dbeed8127bba85672ed73688d3c69191aa1ee70916a.jar").exists());
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/META-INF/j1.jar").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
+
+
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
new file mode 100644
index 00000000..71bdea87
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" >
+
+<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+<security><all-permissions/></security>
+
+<resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+ <jar href="jar03_dotdotN1.jar" version="2.0"/>
+</resources>
+
+<application-desc main-class="http://localhost/jar01.jar!META-INF/jar01_to_be_injected.jar!METAxINF.Test" />
+
+</jnlp>

23
PreventiveleQueue.patch Normal file
View File

@ -0,0 +1,23 @@
commit 5437234c59f6c375a8ad0b07f93d459eefd571ba
Author: Jiri Vanek <jvanek@redhat.com>
Date: Tue Jul 9 12:10:39 2019 +0200
Preventively, hash also .. in queue
diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
index 5c8652b6..15e8865c 100644
--- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java
+++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java
@@ -703,7 +703,11 @@ public class CacheUtil {
path.append(File.separatorChar);
}
String locationPath = location.getPath().replace('/', File.separatorChar);
- if (locationPath.contains("..")){
+ String query = "";
+ if (location.getQuery() != null) {
+ query = location.getQuery();
+ }
+ if (locationPath.contains("..") || query.contains("..")){
try {
/**
* if path contains .. then it can harm lcoal system

36
README.en.md
View File

@ -1,36 +0,0 @@
# icedtea-web
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

39
README.md
View File

@ -1,39 +0,0 @@
# icedtea-web
#### 介绍
{**以下是码云平台说明,您可以替换此简介**
码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN。专为开发者提供稳定、高效、安全的云端软件开发协作平台
无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
#### 软件架构
软件架构说明
#### 安装教程
1. xxxx
2. xxxx
3. xxxx
#### 使用说明
1. xxxx
2. xxxx
3. xxxx
#### 参与贡献
1. Fork 本仓库
2. 新建 Feat_xxx 分支
3. 提交代码
4. 新建 Pull Request
#### 码云特技
1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com)
3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目
5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

BIN
icedtea-web-1.7.1.tar.gz
View File

Binary file not shown.

BIN
icedtea-web-1.8.tar.gz Normal file
View File

Binary file not shown.

178
icedtea-web.spec
View File

@ -1,57 +1,67 @@
%define javaver 1.8.0 %define javaver 1.8.0
%define priority 18000 %define priority 18000
%define gurlhandler /desktop/gnome/url-handlers %define gurlhandler /desktop/gnome/url-handlers
%define jnlphandler %{gurlhandler}/jnlp %define jnlphandler %{gurlhandler}/jnlp
%define jnlpshandler %{gurlhandler}/jnlps %define jnlpshandler %{gurlhandler}/jnlps
%define javadir %{_jvmdir}/java-%{javaver}-openjdk %define javadir %{_jvmdir}/java-%{javaver}-openjdk
%define jredir %{_jvmdir}/jre-%{javaver}-openjdk %define jredir %{_jvmdir}/jre-%{javaver}-openjdk
%define binsuffix .itweb %define binsuffix .itweb
%define preffered_java java-%{javaver}-openjdk %define preffered_java java-%{javaver}-openjdk
%global debug_package %{nil}
Name: icedtea-web
Version: 1.8
Release: 3
Summary: Free Software web browser plugin running Java applets
License: LGPLv2+ and GPLv2 with exceptions
URL: http://icedtea.classpath.org/wiki/IcedTea-Web
Source0: http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
Patch0000: patchOutDunce.patch
Patch0001: CVE-2019-10181.patch
Patch0002: CVE-2019-10182.patch
Patch0003: CVE-2019-10185.patch
Patch0004: PreventiveleQueue.patch
Patch0011: CVE-2019-10181-bin.patch
Patch0033: CVE-2019-10185-bin.patch
Patch0005: testTuning.patch
Name: icedtea-web BuildRequires: javapackages-tools javapackages-local %{preffered_java}-devel
Version: 1.7.1 BuildRequires: desktop-file-utils glib2-devel autoconf automake cargo junit hamcrest
Release: 11 BuildRequires: libappstream-glib tagsoup git
Summary: Free Software web browser plugin running Java applets Requires: %{preffered_java} javapackages-tools tagsoup
License: LGPLv2+ and GPLv2 with exceptions Recommends: bash-completion
URL: http://icedtea.classpath.org/wiki/IcedTea-Web
Source0: http://icedtea.classpath.org/download/source/%{name}-%{version}.tar.gz
BuildArch: noarch Requires(post): chkconfig >= 1.7 GConf2
BuildRequires: gcc-c++ junit hamcrest libappstream-glib tagsoup Requires(post): javapackages-tools %{_sbindir}/alternatives
BuildRequires: desktop-file-utils glib2-devel autoconf automake gcc
BuildRequires: javapackages-tools javapackages-local %{preffered_java}-devel
Requires: mozilla-filesystem%{?_isa}
Requires: %{preffered_java} javapackages-tools tagsoup
Recommends: bash-completion
Requires(post): chkconfig >= 1.7 GConf2 Requires(postun): chkconfig >= 1.7 GConf2
Requires(post): javapackages-tools %{_sbindir}/alternatives Requires(postun): javapackages-tools %{_sbindir}/alternatives
Requires(postun): javapackages-tools GConf2
Requires(postun): %{_sbindir}/alternatives chkconfig >= 1.7
Provides: java-plugin = 1:%{javaver} javaws = 1:%{javaver} Provides: javaws = 1:%{javaver}
Provides: %{preffered_java}-plugin = 1:%{version} Provides: %{preffered_java}-javaws = 1:%{version}
Provides: %{name}-javadoc = %{version}-%{release}
Obsoletes: %{name}-javadoc < %{version}-%{release}
%description %description
The IcedTea-Web project provides a Free Software web browser plugin The IcedTea-Web project provides a Free Software web browser plugin for running applets written in the Java programming language and an implementation of Java Web Start, originally based on the NetX project.
for running applets written in the Java programming language and an
implementation of Java Web Start, originally based on the NetX
project.
%package devel %package devel
Summary: Header files for ${name} Summary: Header files for icedtea-web
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
BuildArch: noarch BuildArch: noarch
%description devel %description devel
Header files for ${name}. Header files for icedtea-web.
%package_help %package help
Summary: Help documents for icedtea-web
Requires: %{name} = %{version}-%{release}
Provides: %{name}-javadoc = %{version}-%{release}
Obsoletes: %{name}-javadoc < %{version}-%{release}
BuildArch: noarch
%description help
Help documents for icedtea-web.
%prep %prep
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version} -p1 -S git
%build %build
autoreconf -vfi autoreconf -vfi
@ -64,19 +74,19 @@ CXXFLAGS="$RPM_OPT_FLAGS $RPM_LD_FLAGS" \
--libdir=%{_libdir} \ --libdir=%{_libdir} \
--program-suffix=%{binsuffix} \ --program-suffix=%{binsuffix} \
--disable-native-plugin \ --disable-native-plugin \
--with-itw-libs=DISTRIBUTION \
--with-modularjdk-file=%{_sysconfdir}/java/%{name} \
--prefix=%{_prefix} --prefix=%{_prefix}
%make_build %make_build
%install %install
%make_install %make_install
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d/ install -d %{buildroot}%{_sysconfdir}/bash_completion.d/
mv completion/javaws.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
mv completion/policyeditor.bash %{buildroot}%{_sysconfdir}/bash_completion.d/ mv completion/policyeditor.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
mv completion/javaws.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
mv completion/itweb-settings.bash %{buildroot}%{_sysconfdir}/bash_completion.d/ mv completion/itweb-settings.bash %{buildroot}%{_sysconfdir}/bash_completion.d/
mv %{buildroot}/%{_mandir}/man1/javaws.1 %{buildroot}/%{_mandir}/man1/javaws.itweb.1 mv %{buildroot}/%{_mandir}/man1/javaws.1 %{buildroot}/%{_mandir}/man1/javaws.itweb.1
install -d -m 755 %{buildroot}%{_datadir}/{applications,pixmaps} install -d -m 755 %{buildroot}%{_datadir}/{applications,pixmaps}
desktop-file-install --vendor ''\ desktop-file-install --vendor ''\
--dir %{buildroot}%{_datadir}/applications javaws.desktop --dir %{buildroot}%{_datadir}/applications javaws.desktop
@ -85,28 +95,28 @@ desktop-file-install --vendor ''\
desktop-file-install --vendor ''\ desktop-file-install --vendor ''\
--dir %{buildroot}%{_datadir}/applications policyeditor.desktop --dir %{buildroot}%{_datadir}/applications policyeditor.desktop
DESTDIR=%{buildroot} appstream-util install metadata/%{name}.metainfo.xml DESTDIR=%{buildroot} appstream-util install metadata/icedtea-web.metainfo.xml
DESTDIR=%{buildroot} appstream-util install metadata/%{name}-javaws.appdata.xml DESTDIR=%{buildroot} appstream-util install metadata/icedtea-web-javaws.appdata.xml
mkdir -p %{buildroot}%{_javadir} install -d %{buildroot}%{_javadir}
pushd %{buildroot}%{_javadir} cd %{buildroot}%{_javadir}
ln -s ../%{name}/netx.jar %{name}.jar ln -s ../icedtea-web/javaws.jar icedtea-web.jar
ln -s ../%{name}/plugin.jar %{name}-plugin.jar ln -s ../icedtea-web/plugin.jar icedtea-web-plugin.jar
popd cd -
mkdir -p %{buildroot}/%{_mavenpomdir}
cp metadata/%{name}.pom %{buildroot}/%{_mavenpomdir}/%{name}.pom
cp metadata/%{name}-plugin.pom %{buildroot}/%{_mavenpomdir}/%{name}-plugin.pom
%add_maven_depmap %{name}.pom %{name}.jar install -d %{buildroot}/%{_mavenpomdir}
%add_maven_depmap %{name}-plugin.pom %{name}-plugin.jar cp metadata/icedtea-web.pom %{buildroot}/%{_mavenpomdir}/icedtea-web.pom
cp metadata/icedtea-web-plugin.pom %{buildroot}/%{_mavenpomdir}/icedtea-web-plugin.pom
cp netx.build/lib/src.zip %{buildroot}%{_datadir}/%{name}/netx.src.zip %add_maven_depmap icedtea-web.pom icedtea-web.jar
cp liveconnect/lib/src.zip %{buildroot}%{_datadir}/%{name}/plugin.src.zip %add_maven_depmap icedtea-web-plugin.pom icedtea-web-plugin.jar
%find_lang %{name} --all-name --with-man cp netx.build/lib/src.zip %{buildroot}%{_datadir}/icedtea-web/javaws.src.zip
cp liveconnect/lib/src.zip %{buildroot}%{_datadir}/icedtea-web/plugin.src.zip
%find_lang icedtea-web --all-name --with-man
%check %check
#make check make check
appstream-util validate %{buildroot}/%{_datadir}/appdata/*.xml || : appstream-util validate %{buildroot}/%{_datadir}/appdata/*.xml || :
%post %post
@ -115,12 +125,12 @@ alternatives \
--family %{preffered_java}.%{_arch} \ --family %{preffered_java}.%{_arch} \
--slave %{_bindir}/itweb-settings itweb-settings %{_prefix}/bin/itweb-settings%{binsuffix} \ --slave %{_bindir}/itweb-settings itweb-settings %{_prefix}/bin/itweb-settings%{binsuffix} \
--slave %{_bindir}/policyeditor policyeditor %{_prefix}/bin/policyeditor%{binsuffix} \ --slave %{_bindir}/policyeditor policyeditor %{_prefix}/bin/policyeditor%{binsuffix} \
--slave %{_bindir}/ControlPanel ControlPanel %{_prefix}/bin/itweb-settings%{binsuffix} \ --slave %{_bindir}/ControlPanel ControlPanel %{_prefix}/bin/itweb-settings%{binsuffix} \
--slave %{_mandir}/man1/javaws.1.gz javaws.1.gz %{_mandir}/man1/javaws%{binsuffix}.1.gz \ --slave %{_mandir}/man1/javaws.1.gz javaws.1.gz %{_mandir}/man1/javaws%{binsuffix}.1.gz \
--slave %{_mandir}/man1/ControlPanel.1.gz ControlPanel.1.gz %{_mandir}/man1/itweb-settings.1.gz --slave %{_mandir}/man1/ControlPanel.1.gz ControlPanel.1.gz %{_mandir}/man1/itweb-settings.1.gz
gconftool-2 -s %{jnlphandler}/command '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || : gconftool-2 -s %{jnlphandler}/command '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || :
gconftool-2 -s %{jnlphandler}/enabled --type Boolean true &> /dev/null || : gconftool-2 -s %{jnlphandler}/enabled --type Boolean true &> /dev/null || :
gconftool-2 -s %{jnlpshandler}/command '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || : gconftool-2 -s %{jnlpshandler}/command '%{_prefix}/bin/javaws%{binsuffix} %s' --type String &> /dev/null || :
gconftool-2 -s %{jnlpshandler}/enabled --type Boolean true &> /dev/null || : gconftool-2 -s %{jnlpshandler}/enabled --type Boolean true &> /dev/null || :
@ -133,38 +143,36 @@ update-desktop-database &> /dev/null || :
if [ $1 -eq 0 ] if [ $1 -eq 0 ]
then then
alternatives --remove javaws %{_prefix}/bin/javaws%{binsuffix} alternatives --remove javaws %{_prefix}/bin/javaws%{binsuffix}
gconftool-2 -u %{jnlphandler}/command &> /dev/null || : gconftool-2 -u %{jnlphandler}/command &> /dev/null || :
gconftool-2 -u %{jnlphandler}/enabled &> /dev/null || : gconftool-2 -u %{jnlphandler}/enabled &> /dev/null || :
gconftool-2 -u %{jnlpshandler}/command &> /dev/null || : gconftool-2 -u %{jnlpshandler}/command &> /dev/null || :
gconftool-2 -u %{jnlpshandler}/enabled &> /dev/null || : gconftool-2 -u %{jnlpshandler}/enabled &> /dev/null || :
fi fi
exit 0 exit 0
%files %files -f .mfiles -f icedtea-web.lang
%defattr(-,root,root)
%license COPYING %license COPYING
%{_sysconfdir}/bash_completion.d/* %{_sysconfdir}/bash_completion.d/*
%{_bindir}/* %config(noreplace) %{_sysconfdir}/java/icedtea-web/itw-modularjdk.args
%dir %{_datadir}/%{name} %{_prefix}/bin/*
%{_datadir}/%{name}/*.jar
%{_datadir}/%{name}/*.png
%{_datadir}/appdata/*.xml
%{_datadir}/pixmaps/*
%{_datadir}/java/*
%{_datadir}/javadoc/*
%{_datadir}/maven-poms/*
%{_datadir}/applications/* %{_datadir}/applications/*
%{_datadir}/maven-metadata/* %{_datadir}/icedtea-web/*.jar
%{_datadir}/icedtea-web/*.png
%{_datadir}/pixmaps/*
%{_datadir}/appdata/*.xml
%files devel %files devel
%defattr(-,root,root) %license COPYING
%{_datadir}/%{name}/*.zip %{_datadir}/icedtea-web/*.zip
%files help %files help
%doc NEWS README %doc COPYING NEWS README
%defattr(-,root,root) %{_datadir}/javadoc/icedtea-web
%{_mandir}/* %{_datadir}/man/man1/*
%changelog %changelog
* Mon Jun 8 2020 yaokai13 <yaokai13@huawei.com> - 1.8-3
- Update to 1.8.3
* Fri Feb 14 2020 wangzhishun1<wangzhishun1@huawei.com> - 1.7.1-11 * Fri Feb 14 2020 wangzhishun1<wangzhishun1@huawei.com> - 1.7.1-11
- Package init - Package init

11
patchOutDunce.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/rust-launcher/cc.toml
+++ b/rust-launcher/Cargo.toml
@@ -2,7 +2,3 @@
name = "launcher"
version = "1.8.0"
authors = ["https://icedtea.classpath.org/wiki/IcedTea-Web"]
-
-[dependencies]
-[target.'cfg(windows)'.dependencies]
-dunce = "0.1.1"

210
testTuning.patch Normal file
View File

@ -0,0 +1,210 @@
diff --git a/ChangeLog b/ChangeLog
index ae837f39..014ac3ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,29 @@
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ All files, except signaturre files, are now checked for signatures - CVE-2019-10181
+ * b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not
+ checked for signature. Now only signature files are skipped
+ * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from
+ signature check
+
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ Nested jar, if by relative path point up, is stored as hashed - CVE-2019-10185
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".."
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar
+ * netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader
+ * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed
+
+2019-06-26 Jiri Vanek <jvanek@redhat.com>
+
+ Fixed bug when relative path (..) could leak up (even out of cache) - CVE-2019-10182
+ * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash
+ * netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux
+ * tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: added test for .. in path. Added test
+ that verifies encoded .. (%2E%2E) do not leak from cahce
+ * tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url
+
2019-03-12 Lars Herschke <lhersch@dssgmbh.de>
Hidden console on Windows
diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
index 6b0cd256..5dbf2d69 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java
@@ -135,6 +135,14 @@ public class CacheUtilTest {
File r = CacheUtil.urlToPath(u, "/tmp/");
Assert.assertEquals(expected, r);
}
+
+ @Test
+ public void testQueryGotHAshedToo() throws Exception {
+ final URL u = new URL("https://example2.com/something/my.jar?../../harm");
+ final File expected = new File("/tmp/https/example2.com/2844b3c690ea355159ed61de6e727f2e9169ab55bf58b8fa3f4b64f6a25bd7.jar");
+ File r = CacheUtil.urlToPath(u, "/tmp/");
+ Assert.assertEquals(expected, r);
+ }
@Test
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
index 2b28fb93..d86786ab 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java
@@ -405,6 +405,8 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(true);
JNLPRuntime.setSecurityEnabled(false);
JNLPRuntime.setDebug(true);
+ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
try {
final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp"));
final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
@@ -419,6 +421,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(trustBackup);
JNLPRuntime.setSecurityEnabled(securityBAckup);
JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
as.stop();
}
@@ -451,6 +454,11 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(true);
JNLPRuntime.setSecurityEnabled(false);
JNLPRuntime.setDebug(true);
+ //fix of "All files, except signaturre files, are now checked for signatures" make this actually correctly failing ahead of time
+ String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "true");
+ String manifestAttsBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, "NONE");
try {
//it is invalid jar, so we have to disable checks first
final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
@@ -488,10 +496,102 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest {
JNLPRuntime.setTrustAll(trustBackup);
JNLPRuntime.setSecurityEnabled(securityBAckup);
JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK, manifestAttsBackup);
as.stop();
}
}
+ @Test(expected = Exception.class)
+ public void testDifferentSignatureInManifestMf() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ File jar = new File(dir,"jar03_dotdotN1.jar");
+ File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp");
+ InputStream is1 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp");
+ InputStream is2 = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar");
+ OutputStream fos1 = new FileOutputStream(jnlp);
+ OutputStream fos2 = new FileOutputStream(jar);
+ StreamUtils.copyStream(is1, fos1);
+ StreamUtils.copyStream(is2, fos2);
+ fos1.flush();;
+ fos2.flush();
+ fos1.close();
+ fos2.close();
+ ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ String ignoreBackup = JNLPRuntime.getConfiguration().getProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, "false");
+ try {
+ //it is invalid jar, so we have to disable checks first
+ final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp"));
+ final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false);
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ JNLPRuntime.getConfiguration().setProperty(DeploymentConfiguration.KEY_SECURITY_ITW_IGNORECERTISSUES, ignoreBackup);
+ as.stop();
+ }
+
+ }
+
+ @Test
+ public void testEncodedPathIsNotDecodedForCache() throws Exception {
+ CacheUtil.clearCache();
+ int port = ServerAccess.findFreePort();
+ File dir = FileTestUtils.createTempDirectory();
+ dir.deleteOnExit();
+ dir = new File(dir,"base");
+ dir.mkdir();
+ File jar = new File(dir,"j1.jar");
+ File jnlp = new File(dir+"/a/b/upEncoded.jnlp");
+ jnlp.getParentFile().mkdirs();
+ InputStream is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/upEncoded.jnlp");
+ String jnlpString = StreamUtils.readStreamAsString(is, true, "utf-8");
+ is.close();
+ jnlpString = jnlpString.replaceAll("8080", ""+port);
+ is = this.getClass().getClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/j1.jar");
+ StreamUtils.copyStream(is, new FileOutputStream(jar));
+ Files.write(jnlp.toPath(),jnlpString.getBytes("utf-8"));
+ ServerLauncher as = ServerAccess.getIndependentInstance(jnlp.getParent(), port);
+ boolean verifyBackup = JNLPRuntime.isVerifying();
+ boolean trustBackup= JNLPRuntime.isTrustAll();
+ boolean securityBAckup= JNLPRuntime.isSecurityEnabled();
+ boolean verbose= JNLPRuntime.isDebug();
+ JNLPRuntime.setVerify(false);
+ JNLPRuntime.setTrustAll(true);
+ JNLPRuntime.setSecurityEnabled(false);
+ JNLPRuntime.setDebug(true);
+ try {
+ final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/upEncoded.jnlp"));
+ final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false);
+ InputStream is1 = classLoader1.getResourceAsStream("Hello1.class");
+ is1.close();
+ is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF");
+ is1.close();
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/upEncoded.jnlp").exists());
+ //be aware; if decoding ever come in play here, thios will leak out of cache folder. Thus harm user system. See fix for " Fixed bug when relative path (..) could leak up (even out of cache)"
+ Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/%2E%2E/%2E%2E/%2E%2E/base").exists());
+ } finally {
+ JNLPRuntime.setVerify(verifyBackup);
+ JNLPRuntime.setTrustAll(trustBackup);
+ JNLPRuntime.setSecurityEnabled(securityBAckup);
+ JNLPRuntime.setDebug(verbose);
+ as.stop();
+ }
+
+ }
}
diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
new file mode 100644
index 00000000..f0658bbc
--- /dev/null
+++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/upEncoded.jnlp
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<jnlp spec="6.0+" codebase=".">
+
+ <information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information>
+
+
+ <resources>
+ <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" />
+ <!-- absolute url is a must -->
+ <jar href="http://localhost:8080/%2E%2E/%2E%2E/%2E%2E/base/j1.jar" version="2.0"/>
+ </resources>
+
+ <application-desc main-class="Hello1" />
+
+</jnlp>