Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:GA
icedtea-web.12078
CVE-2019-10181.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-10181.patch of Package icedtea-web.12078
commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb Author: Jiri Vanek <jvanek@redhat.com> Date: Fri Jun 28 16:05:35 2019 +0200 All files, except signaturre files, are now checked for signatures diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java index 759bedfb..cabfb3c5 100644 --- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java +++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java @@ -41,6 +41,7 @@ import java.util.Map; import java.util.Vector; import java.util.jar.JarEntry; +import java.util.regex.Pattern; import net.sourceforge.jnlp.JARDesc; import net.sourceforge.jnlp.JNLPFile; @@ -67,6 +68,7 @@ public class JarCertVerifier implements CertVerifier { private static final String META_INF = "META-INF/"; + private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*"); // prefix for new signature-related files in META-INF directory private static final String SIG_PREFIX = META_INF + "SIG-"; @@ -500,12 +502,20 @@ /** * Returns whether a file is in META-INF, and thus does not require signing. - * + * <p> * Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA */ static boolean isMetaInfFile(String name) { - String ucName = name.toUpperCase(); - return ucName.startsWith(META_INF); + if (name.endsWith("class")) { + return false; + } + return name.startsWith(META_INF) && ( + name.endsWith(".MF") || + name.endsWith(".SF") || + name.endsWith(".DSA") || + name.endsWith(".RSA") || + SIG.matcher(name).matches() + ); } /** diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java index 4661fb87..44253e08 100644 --- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java +++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java @@ -58,9 +58,22 @@ public class JarCertVerifierTest { @Test public void testIsMetaInfFile() { final String METAINF = "META-INF"; + assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF")); + assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF")); + assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA")); + assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA")); + assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah")); + + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class")); + assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename")); assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename")); - assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename")); + assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename")); } class JarCertVerifierEntry extends JarEntry {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor