1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
/* RhinoBasedPacEvaluator.java
Copyright (C) 2011 Red Hat, Inc.
This file is part of IcedTea.
IcedTea is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 2.
IcedTea is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with IcedTea; see the file COPYING. If not, write to
the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
Linking this library statically or dynamically with other modules is
making a combined work based on this library. Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.
As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from
or based on this library. If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so. If you do not wish to do so, delete this
exception statement from your version.
*/
package net.sourceforge.jnlp.runtime;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.SocketPermission;
import java.net.URL;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Permissions;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
import java.util.PropertyPermission;
import net.sourceforge.jnlp.util.TimedHashMap;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.Function;
import org.mozilla.javascript.Scriptable;
/**
* Represents a Proxy Auto Config file. This object can be used to evaluate the
* proxy file to find the proxy for a given url.
*
* @see "http://en.wikipedia.org/wiki/Proxy_auto-config#The_PAC_file"
*/
public class RhinoBasedPacEvaluator implements PacEvaluator {
private final String pacHelperFunctionContents;
private final String pacContents;
private final URL pacUrl;
private final TimedHashMap<String, String> cache;
/**
* Initialize a new object by using the PAC file located at the given URL.
*
* @param pacUrl the url of the PAC file to use
*/
public RhinoBasedPacEvaluator(URL pacUrl) {
if (JNLPRuntime.isDebug()) {
System.err.println("Using the Rhino based PAC evaluator for url " + pacUrl);
}
pacHelperFunctionContents = getHelperFunctionContents();
this.pacUrl = pacUrl;
pacContents = getPacContents(pacUrl);
cache = new TimedHashMap<String, String>();
}
/**
* Get the proxies for accessing a given URL. The result is obtained by
* evaluating the PAC file with the given url (and the host) as input.
*
* This method performs caching of the result.
*
* @param url the url for which a proxy is desired
* @return a list of proxies in a string like
* <pre>"PROXY foo.example.com:8080; PROXY bar.example.com:8080; DIRECT"</pre>
*
* @see #getProxiesWithoutCaching(URL)
*/
public String getProxies(URL url) {
String cachedResult = getFromCache(url);
if (cachedResult != null) {
return cachedResult;
}
String result = getProxiesWithoutCaching(url);
addToCache(url, result);
return result;
}
/**
* Get the proxies for accessing a given URL. The result is obtained by
* evaluating the PAC file with the given url (and the host) as input.
*
* @param url the url for which a proxy is desired
* @return a list of proxies in a string like
* <pre>"PROXY example.com:3128; DIRECT"</pre>
*
* @see #getProxies(URL)
*/
private String getProxiesWithoutCaching(URL url) {
if (pacHelperFunctionContents == null) {
System.err.println("Error loading pac functions");
return "DIRECT";
}
EvaluatePacAction evaluatePacAction = new EvaluatePacAction(pacContents, pacUrl.toString(),
pacHelperFunctionContents, url);
// Purposefully giving only these permissions rather than using java.policy. The "evaluatePacAction"
// isn't supposed to do very much and so doesn't require all the default permissions given by
// java.policy
Permissions p = new Permissions();
p.add(new RuntimePermission("accessClassInPackage.org.mozilla.javascript"));
p.add(new SocketPermission("*", "resolve"));
p.add(new PropertyPermission("java.vm.name", "read"));
ProtectionDomain pd = new ProtectionDomain(null, p);
AccessControlContext context = new AccessControlContext(new ProtectionDomain[] { pd });
return AccessController.doPrivileged(evaluatePacAction, context);
}
/**
* Returns the contents of file at pacUrl as a String.
*/
private String getPacContents(URL pacUrl) {
StringBuilder contents = null;
try {
String line = null;
contents = new StringBuilder();
BufferedReader pacReader = new BufferedReader(new InputStreamReader(pacUrl.openStream()));
try {
while ((line = pacReader.readLine()) != null) {
// System.out.println(line);
contents = contents.append(line).append("\n");
}
} finally {
pacReader.close();
}
} catch (IOException e) {
contents = null;
}
return (contents != null) ? contents.toString() : null;
}
/**
* Returns the pac helper functions as a String. The functions are read
* from net/sourceforge/jnlp/resources/pac-funcs.js
*/
private String getHelperFunctionContents() {
StringBuilder contents = null;
try {
String line;
ClassLoader cl = this.getClass().getClassLoader();
if (cl == null) {
cl = ClassLoader.getSystemClassLoader();
}
InputStream in = cl.getResourceAsStream("net/sourceforge/jnlp/runtime/pac-funcs.js");
BufferedReader pacFuncsReader = new BufferedReader(new InputStreamReader(in));
try {
contents = new StringBuilder();
while ((line = pacFuncsReader.readLine()) != null) {
// System.out.println(line);
contents = contents.append(line).append("\n");
}
} finally {
pacFuncsReader.close();
}
} catch (IOException e) {
e.printStackTrace();
contents = null;
}
return (contents != null) ? contents.toString() : null;
}
/**
* Gets an entry from the cache
*/
private String getFromCache(URL url) {
String lookupString = url.getProtocol() + "://" + url.getHost();
String result = cache.get(lookupString);
return result;
}
/**
* Adds an entry to the cache
*/
private void addToCache(URL url, String proxyResult) {
String lookupString = url.getAuthority() + "://" + url.getHost();
cache.put(lookupString, proxyResult);
}
/**
* Helper classs to run remote javascript code (specified by the user as
* PAC URL) inside a sandbox.
*/
private static class EvaluatePacAction implements PrivilegedAction<String> {
private String pacContents;
private String pacUrl;
private String pacFuncsContents;
private URL url;
public EvaluatePacAction(String pacContents, String pacUrl, String pacFuncsContents, URL url) {
this.pacContents = pacContents;
this.pacUrl = pacUrl;
this.pacFuncsContents = pacFuncsContents;
this.url = url;
}
public String run() {
Context cx = Context.enter();
try {
/*
* TODO defense in depth.
*
* This is already running within a sandbox, but we can (and we
* should) lock it down further. Look into ClassShutter.
*/
Scriptable scope = cx.initStandardObjects();
// any optimization level greater than -1 will trigger code generation
// and this block will then need classloader permissions
cx.setOptimizationLevel(-1);
Object result = null;
result = cx.evaluateString(scope, pacFuncsContents, "internal", 1, null);
result = cx.evaluateString(scope, pacContents, pacUrl, 1, null);
Object functionObj = scope.get("FindProxyForURL", scope);
if (!(functionObj instanceof Function)) {
System.err.println("FindProxyForURL not found");
return null;
} else {
Function findProxyFunction = (Function) functionObj;
Object[] args = { url.toString(), url.getHost() };
result = findProxyFunction.call(cx, scope, scope, args);
return (String) result;
}
} catch (Exception e) {
e.printStackTrace();
return "DIRECT";
} finally {
Context.exit();
}
}
}
}
|
