diff options
author | Danesh Dadachanji <[email protected]> | 2012-08-15 09:39:53 -0400 |
---|---|---|
committer | Danesh Dadachanji <[email protected]> | 2012-08-15 09:39:53 -0400 |
commit | 71bd5ab0a09c7f91645e09eb9c6dbd89c755647b (patch) | |
tree | 7a23b7db96366a6fb8181e00b01d9cbcfc0f231e | |
parent | abf4ecb7073d3e44ce1340ca3bce6bd82fbd4f7c (diff) |
Restrict manifest classpath searching for JNLPs.
10 files changed, 492 insertions, 1 deletions
@@ -1,3 +1,21 @@ +2012-08-14 Danesh Dadachanji <[email protected]> + + Classpaths in jars' manifests are only considered when the applet is run + without using jnlp_href and a JNLP file. + * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java (activateJars): + Add conditional check for use of jnlp_href. + * tests/reproducers/signed/Classpath.Manifest.Test.Helper/srcs/CheckForClasspath.java: + Applet whose jar is stored in a subdir under the test engine server. + * tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.html: + * tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.jnlp: + * tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestApplicationTest.jnlp: + * tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestJNLPHrefTest.html: + * tests/reproducers/signed/ClasspathManifestTest/srcs/ClasspathManifest.java: + * tests/reproducers/signed/ClasspathManifestTest/srcs/META-INF/MANIFEST.MF: + * tests/reproducers/signed/ClasspathManifestTest/testcases/ClasspathManifestTest.java: + Test if manifest entry is searched for classpath only when in the plugin + is run without using jnlp_href. + 2012-08-14 Adam Domurad <[email protected]> Reproducer for allowing unsigned content in META-INF/ folder. diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java index c0c3762..bb115aa 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java @@ -1286,7 +1286,11 @@ public class JNLPClassLoader extends URLClassLoader { JarFile jarFile = new JarFile(localFile.getAbsolutePath()); Manifest mf = jarFile.getManifest(); - if (file instanceof PluginBridge) { + // Only check classpath if this is the plugin and there is no jnlp_href usage. + // Note that this is different from proprietary plugin behaviour. + // If jnlp_href is used, the app should be treated similarly to when + // it is run from javaws as a webstart. + if (file instanceof PluginBridge && !((PluginBridge) file).useJNLPHref()) { classpaths.addAll(getClassPathsFromManifest(mf, jar.getLocation().getPath())); } diff --git a/tests/reproducers/signed/Classpath.Manifest.Test.Helper/srcs/CheckForClasspath.java b/tests/reproducers/signed/Classpath.Manifest.Test.Helper/srcs/CheckForClasspath.java new file mode 100644 index 0000000..7c277d0 --- /dev/null +++ b/tests/reproducers/signed/Classpath.Manifest.Test.Helper/srcs/CheckForClasspath.java @@ -0,0 +1,42 @@ +/* CheckForClasspath.java +Copyright (C) 2012 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +public class CheckForClasspath { + public static void checkClasspathAndPrint() { + System.out.println("CheckForClasspath found on classpath."); + } +} diff --git a/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.html b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.html new file mode 100644 index 0000000..23eec47 --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.html @@ -0,0 +1,48 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<html> + <head></head> + <body> + <applet code="ClasspathManifest.class" + archive="ClasspathManifestTest.jar" + codebase="." + width=800 + height=600> + </applet> + </body> +</html> diff --git a/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.jnlp b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.jnlp new file mode 100644 index 0000000..8da82fa --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestAppletTest.jnlp @@ -0,0 +1,61 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<?xml version="1.0" encoding="utf-8"?> +<jnlp spec="1.0" href="ClasspathManifestAppletTest.jnlp" codebase="."> + <information> + <title>Classpath Manifest Applet Test</title> + <vendor>IcedTea</vendor> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/> + <description>ClasspathManifest</description> + <offline/> + </information> + <resources> + <j2se version="1.4+"/> + <jar href="ClasspathManifestTest.jar"/> + </resources> + <security> + <all-permissions /> + </security> + <applet-desc + documentBase="." + name="ClasspathManifest" + main-class="ClasspathManifest" + width="100" + height="100"> + </applet-desc> +</jnlp> diff --git a/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestApplicationTest.jnlp b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestApplicationTest.jnlp new file mode 100644 index 0000000..fabb615 --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestApplicationTest.jnlp @@ -0,0 +1,56 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + + --> +<?xml version="1.0" encoding="utf-8"?> +<jnlp spec="1.0" href="ClasspathManifestApplicationTest.jnlp" codebase="."> + <information> + <title>ClasspathManifest</title> + <vendor>IcedTea</vendor> + <homepage href="http://icedtea.classpath.org/wiki/IcedTea-Web#Testing_IcedTea-Web"/> + <description>ClasspathManifest</description> + <offline/> + </information> + <resources> + <j2se version="1.4+"/> + <jar href="ClasspathManifestTest.jar"/> + </resources> + <security> + <all-permissions /> + </security> + <application-desc main-class="ClasspathManifest"> + </application-desc> +</jnlp> diff --git a/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestJNLPHrefTest.html b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestJNLPHrefTest.html new file mode 100644 index 0000000..22ea395 --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/resources/ClasspathManifestJNLPHrefTest.html @@ -0,0 +1,46 @@ +<!-- + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2, or (at your option) +any later version. + +IcedTea is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to the +Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + +--> +<html> + <head></head> + <body> + <applet code="ClasspathManifest.class" width=800 height=600> + <param name="jnlp_href" value="ClasspathManifestAppletTest.jnlp"> + </applet> + </body> +</html> + diff --git a/tests/reproducers/signed/ClasspathManifestTest/srcs/ClasspathManifest.java b/tests/reproducers/signed/ClasspathManifestTest/srcs/ClasspathManifest.java new file mode 100644 index 0000000..8fe7724 --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/srcs/ClasspathManifest.java @@ -0,0 +1,81 @@ +/* ClasspathManifest.java +Copyright (C) 2012 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +import java.applet.Applet; +import java.lang.reflect.*; + +public class ClasspathManifest extends Applet { + + private class Killer extends Thread { + + public int n = 1000; + + @Override + public void run() { + try { + Thread.sleep(n); + System.out.println("Applet killing himself after " + n + " ms of life"); + System.exit(0); + } catch (Exception ex) { + } + } + } + private Killer killer; + + public static void main(String[] args) { + searchForClasspath(); + } + + @Override + public void init() { + searchForClasspath(); + killer = new Killer(); + killer.start(); + } + + public static void searchForClasspath() { + System.out.println("Searching for CheckForClasspath."); + try { + Class checkClass = Class.forName("CheckForClasspath"); + Method checkMethod = checkClass.getDeclaredMethod("checkClasspathAndPrint"); + checkMethod.invoke((Object) null); + } catch (Exception ex) { + System.out.println("Exception was thrown, class not found on classpath."); + ex.printStackTrace(); + } + } +} diff --git a/tests/reproducers/signed/ClasspathManifestTest/srcs/META-INF/MANIFEST.MF b/tests/reproducers/signed/ClasspathManifestTest/srcs/META-INF/MANIFEST.MF new file mode 100644 index 0000000..0a00815 --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/srcs/META-INF/MANIFEST.MF @@ -0,0 +1,3 @@ +Manifest-Version: 1.0 +Class-Path: Classpath/Manifest/Test/Helper.jar + diff --git a/tests/reproducers/signed/ClasspathManifestTest/testcases/ClasspathManifestTest.java b/tests/reproducers/signed/ClasspathManifestTest/testcases/ClasspathManifestTest.java new file mode 100644 index 0000000..47a182b --- /dev/null +++ b/tests/reproducers/signed/ClasspathManifestTest/testcases/ClasspathManifestTest.java @@ -0,0 +1,132 @@ +/* ClasspathManifestTest.java +Copyright (C) 2012 Red Hat, Inc. + +This file is part of IcedTea. + +IcedTea is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +IcedTea is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with IcedTea; see the file COPYING. If not, write to +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +02110-1301 USA. + +Linking this library statically or dynamically with other modules is +making a combined work based on this library. Thus, the terms and +conditions of the GNU General Public License cover the whole +combination. + +As a special exception, the copyright holders of this library give you +permission to link this library with independent modules to produce an +executable, regardless of the license terms of these independent +modules, and to copy and distribute the resulting executable under +terms of your choice, provided that you also meet, for each linked +independent module, the terms and conditions of the license of that +module. An independent module is a module which is not derived from +or based on this library. If you modify this library, you may extend +this exception to your version of the library, but you are not +obligated to do so. If you do not wish to do so, delete this +exception statement from your version. + */ + +import java.util.ArrayList; +import java.util.List; + +import net.sourceforge.jnlp.ServerAccess; +import net.sourceforge.jnlp.ServerAccess.ProcessResult; +import net.sourceforge.jnlp.annotations.KnownToFail; +import net.sourceforge.jnlp.annotations.NeedsDisplay; +import net.sourceforge.jnlp.annotations.TestInBrowsers; +import net.sourceforge.jnlp.browsertesting.BrowserTest; +import net.sourceforge.jnlp.browsertesting.Browsers; + +import org.junit.Assert; +import org.junit.Test; + +public class ClasspathManifestTest extends BrowserTest { + + private static String s1 = "Searching for CheckForClasspath."; + private static String s2 = "CheckForClasspath found on classpath."; + private static String ss = "xception"; + + public void checkAppFails(ProcessResult pr, String testName) { + Assert.assertTrue("ClasspathManifest." + testName + " stdout should contain " + s1 + " but didn't", pr.stdout.contains(s1)); + Assert.assertFalse("ClasspathManifest." + testName + " stdout should not contain " + s2 + " but did", pr.stdout.contains(s2)); + Assert.assertTrue("ClasspathManifest." + testName + " stderr should contain " + ss + " but didn't", pr.stderr.contains(ss)); + } + + @NeedsDisplay + @Test + public void ApplicationJNLPRemoteTest() throws Exception { + ProcessResult pr = server.executeJavawsHeadless(null, "/ClasspathManifestApplicationTest.jnlp"); + checkAppFails(pr, "ApplicationJNLPRemoteTest"); + } + + @NeedsDisplay + @KnownToFail + @Test + public void ApplicationJNLPLocalTest() throws Exception { + List<String> commands=new ArrayList<String>(3); + commands.add(server.getJavawsLocation()); + commands.add(ServerAccess.HEADLES_OPTION); + commands.add("ClasspathManifestApplicationTest.jnlp"); + ServerAccess.ProcessResult pr = ServerAccess.executeProcess(commands, server.getDir()); + checkAppFails(pr, "ApplicationJNLPLocalTest"); + } + + @NeedsDisplay + @Test + public void AppletJNLPRemoteTest() throws Exception { + ServerAccess.ProcessResult pr = server.executeJavawsHeadless(null, "/ClasspathManifestAppletTest.jnlp"); + checkAppFails(pr, "AppletJNLPRemoteTest"); + } + + @NeedsDisplay + @KnownToFail + @Test + public void AppletJNLPRLocalTest() throws Exception { + List<String> commands=new ArrayList<String>(3); + commands.add(server.getJavawsLocation()); + commands.add(ServerAccess.HEADLES_OPTION); + commands.add("ClasspathManifestAppletTest.jnlp"); + ServerAccess.ProcessResult pr = ServerAccess.executeProcess(commands, server.getDir()); + checkAppFails(pr, "AppletJNLPRLocalTest"); + } + + @NeedsDisplay + @TestInBrowsers(testIn = {Browsers.one}) + @Test + public void BrowserJNLPHrefRemoteTest() throws Exception { + ServerAccess.ProcessResult pr = server.executeBrowser("/ClasspathManifestJNLPHrefTest.html"); + checkAppFails(pr, "BrowserJNLPHrefRemoteTest"); + } + + @NeedsDisplay + @TestInBrowsers(testIn = {Browsers.one}) + @KnownToFail + @Test + public void BrowserJNLPHrefLocalTest() throws Exception { + List<String> commands=new ArrayList<String>(2); + commands.add(server.getBrowserLocation()); + commands.add("ClasspathManifestJNLPHrefTest.html"); + ServerAccess.ProcessResult pr = ServerAccess.executeProcess(commands, server.getDir()); + checkAppFails(pr, "BrowserJNLPHrefLocalTest"); + } + + @NeedsDisplay + @TestInBrowsers(testIn = {Browsers.one}) + @Test + public void BrowserAppletRemoteTest() throws Exception { + ServerAccess.ProcessResult pr = server.executeBrowser("/ClasspathManifestAppletTest.html"); + Assert.assertTrue("ClasspathManifest.BrowserAppletRemoteTest stdout should contain " + s1 + " but didn't", pr.stdout.contains(s1)); + // Should be the only one to search manifest for classpath. + Assert.assertTrue("ClasspathManifest.BrowserAppletRemoteTest stdout should contain " + s2 + " but didn't", pr.stdout.contains(s2)); + Assert.assertFalse("ClasspathManifest.BrowserAppletRemoteTest stderr should not contain " + ss + " but did", pr.stderr.contains(ss)); + } +} |