aboutsummaryrefslogtreecommitdiffstats
path: root/netx/net/sourceforge/jnlp
diff options
context:
space:
mode:
Diffstat (limited to 'netx/net/sourceforge/jnlp')
-rw-r--r--netx/net/sourceforge/jnlp/services/ServiceUtil.java77
-rw-r--r--netx/net/sourceforge/jnlp/services/XPersistenceService.java13
2 files changed, 56 insertions, 34 deletions
diff --git a/netx/net/sourceforge/jnlp/services/ServiceUtil.java b/netx/net/sourceforge/jnlp/services/ServiceUtil.java
index 69e44a9..2972799 100644
--- a/netx/net/sourceforge/jnlp/services/ServiceUtil.java
+++ b/netx/net/sourceforge/jnlp/services/ServiceUtil.java
@@ -235,41 +235,15 @@ public class ServiceUtil {
public static boolean checkAccess(ApplicationInstance app, AccessType type,
Object... extras) {
- if (app == null)
- app = JNLPRuntime.getApplication();
-
- boolean codeTrusted = true;
-
- StackTraceElement[] stack = Thread.currentThread().getStackTrace();
-
- for (int i = 0; i < stack.length; i++) {
+ boolean trusted = isSigned(app);
- Class c = null;
-
- try {
- c = Class.forName(stack[i].getClassName());
- } catch (Exception e1) {
- try {
- c = Class.forName(stack[i].getClassName(), false, app.getClassLoader());
- } catch (Exception e2) {
- System.err.println(e2.getMessage());
- }
- }
-
- // Everything up to the desired class/method must be trusted
- if (c == null || // class not found
- (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath
- c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted
- ) {
- codeTrusted = false;
- }
- }
-
- if (!codeTrusted) {
+ if (!trusted) {
if (!shouldPromptUser()) {
return false;
}
+ if (app == null)
+ app = JNLPRuntime.getApplication();
final AccessType tmpType = type;
final Object[] tmpExtras = extras;
@@ -307,5 +281,48 @@ public class ServiceUtil {
}
});
}
+
+ /**
+ * Returns whether the app requesting a JNLP service is a trusted
+ * application
+ *
+ * @param app
+ * the application which is requesting the check. If null, the
+ * current application is used.
+ * @return true, if the app is a trusted application; false otherwise
+ */
+
+ public static boolean isSigned(ApplicationInstance app) {
+
+ if (app == null)
+ app = JNLPRuntime.getApplication();
+
+ StackTraceElement[] stack = Thread.currentThread().getStackTrace();
+
+ for (int i = 0; i < stack.length; i++) {
+
+ Class c = null;
+
+ try {
+ c = Class.forName(stack[i].getClassName());
+ } catch (Exception e1) {
+ try {
+ c = Class.forName(stack[i].getClassName(), false,
+ app.getClassLoader());
+ } catch (Exception e2) {
+ System.err.println(e2.getMessage());
+ }
+ }
+
+ // Everything up to the desired class/method must be trusted
+ if (c == null || // class not found
+ (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath
+ c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted
+ ) {
+ return false;
+ }
+ }
+ return true;
+ }
}
diff --git a/netx/net/sourceforge/jnlp/services/XPersistenceService.java b/netx/net/sourceforge/jnlp/services/XPersistenceService.java
index 4da8336..3e847c9 100644
--- a/netx/net/sourceforge/jnlp/services/XPersistenceService.java
+++ b/netx/net/sourceforge/jnlp/services/XPersistenceService.java
@@ -52,9 +52,12 @@ class XPersistenceService implements PersistenceService {
throw new MalformedURLException("Cannot determine the current application.");
URL source = app.getJNLPFile().getCodeBase();
+
+ if (!source.getHost().equalsIgnoreCase(location.getHost())
+ && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data from a different host
+ throw new MalformedURLException(
+ "Untrusted application cannot access data from a different host.");
- if (!source.getHost().equalsIgnoreCase(location.getHost()))
- throw new MalformedURLException("Cannot access data from a different host.");
// test for above codebase, not perfect but works for now
@@ -69,8 +72,10 @@ class XPersistenceService implements PersistenceService {
System.out.println("request path: " + requestPath);
}
- if (!source.getFile().startsWith(requestPath))
- throw new MalformedURLException("Cannot access data below source URL path.");
+ if (!source.getFile().startsWith(requestPath)
+ && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data below source URL path
+ throw new MalformedURLException(
+ "Cannot access data below source URL path.");
}
/**