diff options
| -rw-r--r-- | ChangeLog | 13 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | netx/net/sourceforge/jnlp/util/UrlUtils.java | 15 | ||||
| -rw-r--r-- | tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java | 4 | ||||
| -rw-r--r-- | tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java | 26 |
5 files changed, 56 insertions, 4 deletions
@@ -1,3 +1,16 @@ +2013-06-05 Adam Domurad <[email protected]> + + Fix PR1465 + * NEWS: Bug fix note + * netx/net/sourceforge/jnlp/util/UrlUtils.java + (isValidRFC2396Url): New, tests if valid URL by RFC2396 rules + (normalizeUrl): Don't normalize if valid by RFC2396 + * tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java: + Adapt which URLs we expect to change when normalizing URLs + * tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java: + (testIsValidRFC2396Url): New, tests isValidRFC2396Url + (testNormalizeUrl): Add new test with valid RFC2396 URL + 2013-06-04 Jiri Vanek <[email protected]> * netx/net/sourceforge/jnlp/resources/Messages.properties: @@ -9,6 +9,8 @@ GX - http://bugs.gentoo.org/show_bug.cgi?id=X CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY New in release 1.5 (2013-XX-XX): +* NetX + - PR1465 - java.io.FileNotFoundException while trying to download a JAR file * Plugin - PR854: Resizing an applet several times causes 100% CPU load diff --git a/netx/net/sourceforge/jnlp/util/UrlUtils.java b/netx/net/sourceforge/jnlp/util/UrlUtils.java index af36a9c..73d896a 100644 --- a/netx/net/sourceforge/jnlp/util/UrlUtils.java +++ b/netx/net/sourceforge/jnlp/util/UrlUtils.java @@ -86,16 +86,29 @@ public class UrlUtils { } } + /* Use the URI syntax check of 'toURI' to see if it matches RFC2396. + * See http://www.ietf.org/rfc/rfc2396.txt */ + public static boolean isValidRFC2396Url(URL url) { + try { + url.toURI(); + return true; + } catch (URISyntaxException e) { + return false; + } + } + /* Ensure a URL is properly percent-encoded. * Certain usages require local-file URLs to be encoded, eg for code-base & document-base. */ public static URL normalizeUrl(URL url, boolean encodeFileUrls) throws MalformedURLException, UnsupportedEncodingException, URISyntaxException { if (url == null) { return null; } + String protocol = url.getProtocol(); boolean shouldEncode = (encodeFileUrls || !"file".equals(protocol)); - if (protocol == null || !shouldEncode || url.getPath() == null) { + // PR1465: We should not call 'URLDecoder.decode' on RFC2396-compliant URLs + if (protocol == null || !shouldEncode || url.getPath() == null || isValidRFC2396Url(url)) { return url; } diff --git a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java index 0b19668..03d942b 100644 --- a/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java +++ b/tests/netx/unit/net/sourceforge/jnlp/cache/ResourceTrackerTest.java @@ -80,7 +80,7 @@ public class ResourceTrackerTest { Assert.assertFalse("url " + i + " must be normalized (and so not equals) too normalized url " + i, u[i].equals(n[i])); } } - public static final int CHANGE_BORDER = 6; + public static final int CHANGE_BORDER = 8; public static URL[] getUrls() throws MalformedURLException { URL[] u = { @@ -91,9 +91,9 @@ public class ResourceTrackerTest { new URL("http:///SpacesCanBeEverywhere1.jnlp"), new URL("file://localhost/home/jvanek/Desktop/icedtea-web/tests.build/jnlp_test_server/Spaces can be everywhere2.jnlp"), new URL("http://localhost:44321/testpage.jnlp?applicationID=25"), - /*changing*/ new URL("http://localhost:44321/Spaces%20Can%20Be%20Everyw%2Fhere1.jnlp"), new URL("http://localhost/Spaces+Can+Be+Everywhere1.jnlp"), + /*changing*/ new URL("http://localhost/SpacesC anBeEverywhere1.jnlp?a=5&b=10#df"), new URL("http:///oook.jnlp?a=5&b=ahoj šš dd#df"), new URL("http://localhost/Spacesěčšžšřýžčřú can !@^*(){}[].jnlp?a=5&ahoj šš dd#df"), diff --git a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java index b6cf760..587915f 100644 --- a/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java +++ b/tests/netx/unit/net/sourceforge/jnlp/util/UrlUtilsTest.java @@ -39,8 +39,11 @@ package net.sourceforge.jnlp.util; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import java.io.File; +import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.net.URL; import org.junit.Test; @@ -95,6 +98,27 @@ public class UrlUtilsTest { // Test file URL with file URL encoding turned on assertEquals("file://example/%20test", UrlUtils.normalizeUrl(new URL("file://example/ test"), true).toString()); + + // PR1465: Test that RFC2396-compliant URLs are not touched + // Example taken from bug report: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1465 + String rfc2396Valid = "https://example.com/,DSID=64c19c5b657df383835706571a7c7216,DanaInfo=example.com,CT=java+JICAComponents/JICA-sicaN.jar"; + assertEquals(rfc2396Valid, + UrlUtils.normalizeUrl(new URL(rfc2396Valid)).toString()); + } + + @Test + public void testIsValidRFC2396Url() throws Exception { + String rfc2396Valid = "https://example.com/,foo=bar+baz/JICA-sicaN.jar"; + assertTrue(UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid))); + + // These should invalidate the URL + // See http://www.ietf.org/rfc/rfc2396.txt (2.4.3. Excluded US-ASCII Characters) + char[] invalidCharacters = {'<', '>', '%', '"', }; + for (char chr : invalidCharacters) { + assertFalse("validation failed with '" + chr + "'",UrlUtils.isValidRFC2396Url(new URL(rfc2396Valid + chr))); + } + //special test for space inisde. Space at the end can be trimmed + assertFalse("validation failed with '" + ' ' + "'",UrlUtils.isValidRFC2396Url(new URL("https://example.com/,foo=bar+ba z/JICA-sicaN.jar"))); } @Test @@ -116,4 +140,4 @@ public class UrlUtilsTest { assertEquals(testFile, UrlUtils.decodeUrlAsFile(encodedUrl)); } } -}
\ No newline at end of file +} |