Fix PR1465 - java.io.FileNotFoundException while trying to download a JAR file

author: Adam Domurad <[email protected]> 2013-06-05 15:12:01 -0400
committer: Adam Domurad <[email protected]> 2013-06-05 15:12:01 -0400
commit: 6b9db3b5496e986d9cbe16f94d65c6bb49aa6df7 (patch)
tree: 560fe41682dc8ea36843759d3de3402532131170
parent: d529b383c65853c4c02276bd3eab2988b5a5370b (diff)
5 files changed, 56 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index b80f544..a034c10 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2013-06-05  Adam Domurad  <[email protected]>
+
+	Fix PR1465
+	* NEWS: Bug fix note
+	* netx/net/sourceforge/jnlp/util/UrlUtils.java
+	(isValidRFC2396Url): New, tests if valid URL by RFC2396 rules
+	(normalizeUrl): Don't normalize if valid by RFC2396
+	* tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java:
+	Adapt which URLs we expect to change when normalizing URLs
+	* tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java: 
+	(testIsValidRFC2396Url): New, tests isValidRFC2396Url
+	(testNormalizeUrl): Add new test with valid RFC2396 URL
+
 2013-06-04  Jiri Vanek  <[email protected]>
 
 	* netx/net/sourceforge/jnlp/resources/Messages.properties:
diff --git a/NEWS b/NEWS
index a40a6ea..f1ee8d2 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ GX  - http://bugs.gentoo.org/show_bug.cgi?id=X
 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
 New in release 1.5 (2013-XX-XX):
+* NetX
+  - PR1465 - java.io.FileNotFoundException while trying to download a JAR file
 * Plugin
   - PR854: Resizing an applet several times causes 100% CPU load
 
diff --git a/netx/net/sourceforge/jnlp/util/UrlUtils.java b/netx/net/sourceforge/jnlp/util/UrlUtils.java
index af36a9c..73d896a 100644
--- a/netx/net/sourceforge/jnlp/util/UrlUtils.java
+++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java
@@ -86,16 +86,29 @@ public class UrlUtils {
         }
     }
 
+    /* Use the URI syntax check of 'toURI' to see if it matches RFC2396.
+     * See http://www.ietf.org/rfc/rfc2396.txt */
+    public static boolean isValidRFC2396Url(URL url) {
+        try {
+            url.toURI();
+            return true;
+        } catch (URISyntaxException e) {
+            return false;
+        }
+    }
+
     /* Ensure a URL is properly percent-encoded.
      * Certain usages require local-file URLs to be encoded, eg for code-base & document-base. */
     public static URL normalizeUrl(URL url, boolean encodeFileUrls) throws MalformedURLException, UnsupportedEncodingException, URISyntaxException {
         if (url == null) {
             return null;
         }
+
         String protocol = url.getProtocol();
         boolean shouldEncode = (encodeFileUrls || !"file".equals(protocol));
 
-        if (protocol == null || !shouldEncode || url.getPath() == null) {
+        // PR1465: We should not call 'URLDecoder.decode' on RFC2396-compliant URLs
+        if (protocol == null || !shouldEncode || url.getPath() == null || isValidRFC2396Url(url)) {
             return url;
         }
 
diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java
index 0b19668..03d942b 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java
@@ -80,7 +80,7 @@ public class ResourceTrackerTest {
             Assert.assertFalse("url " + i + " must be normalized (and so not equals) too normalized url " + i, u[i].equals(n[i]));
         }
     }
-    public static final int CHANGE_BORDER = 6;
+    public static final int CHANGE_BORDER = 8;
 
     public static URL[] getUrls() throws MalformedURLException {
         URL[] u = {
@@ -91,9 +91,9 @@ public class ResourceTrackerTest {
             new URL("http:///SpacesCanBeEverywhere1.jnlp"),
             new URL("file://localhost/home/jvanek/Desktop/icedtea-web/tests.build/jnlp_test_server/Spaces can be everywhere2.jnlp"),
             new URL("http://localhost:44321/testpage.jnlp?applicationID=25"),
-            /*changing*/
             new URL("http://localhost:44321/Spaces%20Can%20Be%20Everyw%2Fhere1.jnlp"),
             new URL("http://localhost/Spaces+Can+Be+Everywhere1.jnlp"),
+            /*changing*/
             new URL("http://localhost/SpacesC anBeEverywhere1.jnlp?a=5&b=10#df"),
             new URL("http:///oook.jnlp?a=5&b=ahoj šš dd#df"),
             new URL("http://localhost/Spacesěčšžšřýžčřú can !@^*(){}[].jnlp?a=5&ahoj šš dd#df"),
diff --git a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java
index b6cf760..587915f 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java
@@ -39,8 +39,11 @@ package net.sourceforge.jnlp.util;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.io.File;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
 import java.net.URL;
 
 import org.junit.Test;
@@ -95,6 +98,27 @@ public class UrlUtilsTest {
         // Test file URL with file URL encoding turned on
         assertEquals("file://example/%20test",
                   UrlUtils.normalizeUrl(new URL("file://example/ test"), true).toString());
+
+        // PR1465: Test that RFC2396-compliant URLs are not touched
+        // Example taken from bug report: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1465
+        String rfc2396Valid = "https://example.com/,DSID=64c19c5b657df383835706571a7c7216,DanaInfo=example.com,CT=java+JICAComponents/JICA-sicaN.jar";
+        assertEquals(rfc2396Valid,
+                UrlUtils.normalizeUrl(new URL(rfc2396Valid)).toString());
+    }
+
+    @Test
+    public void testIsValidRFC2396Url() throws Exception {
+        String rfc2396Valid = "https://example.com/,foo=bar+baz/JICA-sicaN.jar";
+        assertTrue(UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid)));
+
+        // These should invalidate the URL
+        // See http://www.ietf.org/rfc/rfc2396.txt (2.4.3. Excluded US-ASCII Characters)
+        char[] invalidCharacters = {'<', '>', '%', '"', };
+        for (char chr : invalidCharacters) {
+            assertFalse("validation failed with '" + chr + "'",UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid + chr)));
+        }
+        //special test for space inisde. Space at the end can be trimmed
+        assertFalse("validation failed with '" + ' ' + "'",UrlUtils.isValidRFC2396Url(new URL("https://example.com/,foo=bar+ba z/JICA-sicaN.jar")));
     }
 
     @Test
@@ -116,4 +140,4 @@ public class UrlUtilsTest {
             assertEquals(testFile, UrlUtils.decodeUrlAsFile(encodedUrl));
         }
     }
-}
-\ No newline at end of file
+}
author	Adam Domurad <[email protected]>	2013-06-05 15:12:01 -0400
committer	Adam Domurad <[email protected]>	2013-06-05 15:12:01 -0400
commit	6b9db3b5496e986d9cbe16f94d65c6bb49aa6df7 (patch)
tree	560fe41682dc8ea36843759d3de3402532131170
parent	d529b383c65853c4c02276bd3eab2988b5a5370b (diff)