diff options
Diffstat (limited to 'netx/net/sourceforge/jnlp')
-rw-r--r-- | netx/net/sourceforge/jnlp/services/ServiceUtil.java | 77 | ||||
-rw-r--r-- | netx/net/sourceforge/jnlp/services/XPersistenceService.java | 13 |
2 files changed, 56 insertions, 34 deletions
diff --git a/netx/net/sourceforge/jnlp/services/ServiceUtil.java b/netx/net/sourceforge/jnlp/services/ServiceUtil.java index 69e44a9..2972799 100644 --- a/netx/net/sourceforge/jnlp/services/ServiceUtil.java +++ b/netx/net/sourceforge/jnlp/services/ServiceUtil.java @@ -235,41 +235,15 @@ public class ServiceUtil { public static boolean checkAccess(ApplicationInstance app, AccessType type, Object... extras) { - if (app == null) - app = JNLPRuntime.getApplication(); - - boolean codeTrusted = true; - - StackTraceElement[] stack = Thread.currentThread().getStackTrace(); - - for (int i = 0; i < stack.length; i++) { + boolean trusted = isSigned(app); - Class c = null; - - try { - c = Class.forName(stack[i].getClassName()); - } catch (Exception e1) { - try { - c = Class.forName(stack[i].getClassName(), false, app.getClassLoader()); - } catch (Exception e2) { - System.err.println(e2.getMessage()); - } - } - - // Everything up to the desired class/method must be trusted - if (c == null || // class not found - (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath - c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted - ) { - codeTrusted = false; - } - } - - if (!codeTrusted) { + if (!trusted) { if (!shouldPromptUser()) { return false; } + if (app == null) + app = JNLPRuntime.getApplication(); final AccessType tmpType = type; final Object[] tmpExtras = extras; @@ -307,5 +281,48 @@ public class ServiceUtil { } }); } + + /** + * Returns whether the app requesting a JNLP service is a trusted + * application + * + * @param app + * the application which is requesting the check. If null, the + * current application is used. + * @return true, if the app is a trusted application; false otherwise + */ + + public static boolean isSigned(ApplicationInstance app) { + + if (app == null) + app = JNLPRuntime.getApplication(); + + StackTraceElement[] stack = Thread.currentThread().getStackTrace(); + + for (int i = 0; i < stack.length; i++) { + + Class c = null; + + try { + c = Class.forName(stack[i].getClassName()); + } catch (Exception e1) { + try { + c = Class.forName(stack[i].getClassName(), false, + app.getClassLoader()); + } catch (Exception e2) { + System.err.println(e2.getMessage()); + } + } + + // Everything up to the desired class/method must be trusted + if (c == null || // class not found + (c.getProtectionDomain().getCodeSource() != null && // class is not in bootclasspath + c.getProtectionDomain().getCodeSource().getCodeSigners() == null) // class is trusted + ) { + return false; + } + } + return true; + } } diff --git a/netx/net/sourceforge/jnlp/services/XPersistenceService.java b/netx/net/sourceforge/jnlp/services/XPersistenceService.java index 4da8336..3e847c9 100644 --- a/netx/net/sourceforge/jnlp/services/XPersistenceService.java +++ b/netx/net/sourceforge/jnlp/services/XPersistenceService.java @@ -52,9 +52,12 @@ class XPersistenceService implements PersistenceService { throw new MalformedURLException("Cannot determine the current application."); URL source = app.getJNLPFile().getCodeBase(); + + if (!source.getHost().equalsIgnoreCase(location.getHost()) + && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data from a different host + throw new MalformedURLException( + "Untrusted application cannot access data from a different host."); - if (!source.getHost().equalsIgnoreCase(location.getHost())) - throw new MalformedURLException("Cannot access data from a different host."); // test for above codebase, not perfect but works for now @@ -69,8 +72,10 @@ class XPersistenceService implements PersistenceService { System.out.println("request path: " + requestPath); } - if (!source.getFile().startsWith(requestPath)) - throw new MalformedURLException("Cannot access data below source URL path."); + if (!source.getFile().startsWith(requestPath) + && !ServiceUtil.isSigned(app)) // Allow trusted application to have access to data below source URL path + throw new MalformedURLException( + "Cannot access data below source URL path."); } /** |