Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
icedtea-web.12078
CVE-2019-10185.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-10185.patch of Package icedtea-web.12078
commit b4232ae35d2b86592a945a56c948f107fe7efabe Author: Jiri Vanek <jvanek@redhat.com> Date: Wed Jun 26 13:46:45 2019 +0200 Nested jar, if by relative path point up, is stored as hashed diff --git a/netx/net/sourceforge/jnlp/cache/CacheUtil.java b/netx/net/sourceforge/jnlp/cache/CacheUtil.java index a972eb8e..5c8652b6 100644 --- a/netx/net/sourceforge/jnlp/cache/CacheUtil.java +++ b/netx/net/sourceforge/jnlp/cache/CacheUtil.java @@ -741,7 +741,7 @@ } } - private static String hex(String origName, String candidate) throws NoSuchAlgorithmException { + public static String hex(String origName, String candidate) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] sum = md.digest(candidate.getBytes(StandardCharsets.UTF_8)); //convert the byte to hex format method 2 diff --git a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java index e015f348..117163f3 100644 --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java @@ -1340,7 +1340,11 @@ // (inline loading with "jar:..!/..." path will not work // with standard classloader methods) - String extractedJarLocation = localFile + ".nested/" + je.getName(); + String name = je.getName(); + if (name.contains("..")){ + name=CacheUtil.hex(name, name); + } + String extractedJarLocation = localFile + ".nested/" + name; File parentDir = new File(extractedJarLocation).getParentFile(); if (!parentDir.isDirectory() && !parentDir.mkdirs()) { throw new RuntimeException(R("RNestedJarExtration")); diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java index 7580d23b..a20a1d8f 100644 --- a/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java +++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java @@ -43,6 +43,8 @@ import java.io.File; import java.io.FileOutputStream; import java.io.InputStream; +import java.io.OutputStream; +import net.sourceforge.jnlp.ResourcesDesc; import java.net.URL; import java.nio.charset.Charset; import java.nio.file.Files; @@ -407,13 +409,7 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { JNLPRuntime.setDebug(true); try { final JNLPFile jnlpFile1 = new JNLPFile(new URL("http://localhost:" + port + "/up.jnlp")); - final JNLPClassLoader classLoader1 = new JNLPClassLoader(jnlpFile1, UpdatePolicy.ALWAYS) { - @Override - protected void activateJars(List<JARDesc> jars) { - super.activateJars(jars); - } - - }; + final JNLPClassLoader classLoader1 = JNLPClassLoader.getInstance(jnlpFile1, UpdatePolicy.ALWAYS, false); InputStream is1 = classLoader1.getResourceAsStream("Hello1.class"); is1.close(); is1 = classLoader1.getResourceAsStream("META-INF/MANIFEST.MF"); @@ -430,4 +426,74 @@ public class JNLPClassLoaderTest extends NoStdOutErrTest { } + @Test + public void testRelativePathInNestedJars() throws Exception { + CacheUtil.clearCache(); + int port = ServerAccess.findFreePort(); + File dir = FileTestUtils.createTempDirectory(); + dir.deleteOnExit(); + File jar = new File(dir,"jar03_dotdotN1.jar"); + File jnlp = new File(dir,"jar_03_dotdot_jarN1.jnlp"); + InputStream is1 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp"); + InputStream is2 = ClassLoader.getSystemClassLoader().getResourceAsStream("net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar"); + OutputStream fos1 = new FileOutputStream(jnlp); + OutputStream fos2 = new FileOutputStream(jar); + StreamUtils.copyStream(is1, fos1); + StreamUtils.copyStream(is2, fos2); + fos1.flush();; + fos2.flush(); + fos1.close(); + fos2.close(); + ServerLauncher as = ServerAccess.getIndependentInstance(dir.getAbsolutePath(), port); + boolean verifyBackup = JNLPRuntime.isVerifying(); + boolean trustBackup= JNLPRuntime.isTrustAll(); + boolean securityBAckup= JNLPRuntime.isSecurityEnabled(); + boolean verbose= JNLPRuntime.isDebug(); + JNLPRuntime.setVerify(false); + JNLPRuntime.setTrustAll(true); + JNLPRuntime.setSecurityEnabled(false); + JNLPRuntime.setDebug(true); + try { + //it is invalid jar, so we have to disable checks first + final JNLPFile jnlpFile = new JNLPFile(new URL("http://localhost:" + port + "/jar_03_dotdot_jarN1.jnlp")); + final JNLPClassLoader classLoader = JNLPClassLoader.getInstance(jnlpFile, UpdatePolicy.ALWAYS, false); + + //ThreadGroup group = Thread.currentThread().getThreadGroup(); + //ApplicationInstance app = new ApplicationInstance(jnlpFile, group, classLoader); + //classLoader.setApplication(app); + //app.initialize(); + + //this test is actually not testing mutch. The app must be accessing the nested jar in plugin-like way + InputStream is = classLoader.getResourceAsStream("application/abev/nyomtatvanyinfo/1965.teminfo.enyk"); + is.close(); + is = classLoader.getResourceAsStream("META-INF/MANIFEST.MF"); + is.close(); + is = classLoader.getResourceAsStream("META-INF/j1.jar"); + is.close(); + is = classLoader.getResourceAsStream("META-INF/../../jar01_to_be_injected.jar"); + //the .. is not recognized correctly + //is.close(); + //Class c = classLoader.getClass().forName("Hello1"); + // in j1.jar + is = classLoader.getResourceAsStream("Hello1.class"); + //is.close(); nested jar is not on defualt CP + //in jar01 + //c = classLoader.getClass().forName("com.devdaily.FileUtilities"); + is = classLoader.getResourceAsStream("com/devdaily/FileUtilities.class"); + // is.close(); nested jar is not on defualt CP + Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/0/http/localhost/"+port+"/jar_03_dotdot_jarN1.jnlp").exists()); + Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar").exists()); + Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/99a90686bfbe84e3f9dbeed8127bba85672ed73688d3c69191aa1ee70916a.jar").exists()); + Assert.assertTrue(new File(PathsAndFiles.CACHE_DIR.getFullPath()+"/1/http/localhost/"+port+"/jar03_dotdotN1.jar.nested/META-INF/j1.jar").exists()); + } finally { + JNLPRuntime.setVerify(verifyBackup); + JNLPRuntime.setTrustAll(trustBackup); + JNLPRuntime.setSecurityEnabled(securityBAckup); + JNLPRuntime.setDebug(verbose); + as.stop(); + } + + } + + } diff --git a/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp new file mode 100644 index 00000000..71bdea87 --- /dev/null +++ b/tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<jnlp spec="6.0+" > + +<information><title>1965</title><vendor>Nemzeti Ado- es Vamhivatal</vendor><offline-allowed/></information> + +<security><all-permissions/></security> + +<resources> + <j2se href="http://java.sun.com/products/autodl/j2se" version="1.8+" /> + <jar href="jar03_dotdotN1.jar" version="2.0"/> +</resources> + +<application-desc main-class="http://localhost/jar01.jar!META-INF/jar01_to_be_injected.jar!METAxINF.Test" /> + +</jnlp>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor