diff options
author | Jiri Vanek <[email protected]> | 2013-04-17 14:30:05 +0200 |
---|---|---|
committer | Jiri Vanek <[email protected]> | 2013-04-17 14:30:05 +0200 |
commit | 6325a345014f6fce359637aab3ce6c6a969cf655 (patch) | |
tree | 20bc154ed69647497e7341954ea1baba6dad5532 /netx/net/sourceforge | |
parent | 72ac500dc654bbc82332712022cca573db0bc3e6 (diff) |
Fixed CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
Diffstat (limited to 'netx/net/sourceforge')
-rw-r--r-- | netx/net/sourceforge/jnlp/NetxPanel.java | 6 | ||||
-rw-r--r-- | netx/net/sourceforge/jnlp/PluginBridge.java | 2 | ||||
-rw-r--r-- | netx/net/sourceforge/jnlp/PluginParameters.java | 12 |
3 files changed, 9 insertions, 11 deletions
diff --git a/netx/net/sourceforge/jnlp/NetxPanel.java b/netx/net/sourceforge/jnlp/NetxPanel.java index 8a51566..e9647c8 100644 --- a/netx/net/sourceforge/jnlp/NetxPanel.java +++ b/netx/net/sourceforge/jnlp/NetxPanel.java @@ -72,7 +72,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController { this.parameters = params; - String uniqueKey = params.getUniqueKey(); + String uniqueKey = params.getUniqueKey(getCodeBase()); synchronized(TGMapMutex) { if (!uKeyToTG.containsKey(uniqueKey)) { ThreadGroup tg = new ThreadGroup(Launcher.mainGroup, this.documentURL.toString()); @@ -199,7 +199,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController { public ThreadGroup getThreadGroup() { synchronized(TGMapMutex) { - return uKeyToTG.get(parameters.getUniqueKey()); + return uKeyToTG.get(parameters.getUniqueKey(getCodeBase())); } } @@ -209,7 +209,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController { } // only create a new context if one hasn't already been created for the // applets with this unique key. - if (null == appContextCreated.putIfAbsent(parameters.getUniqueKey(), Boolean.TRUE)) { + if (null == appContextCreated.putIfAbsent(parameters.getUniqueKey(getCodeBase()), Boolean.TRUE)) { SunToolkit.createNewAppContext(); } } diff --git a/netx/net/sourceforge/jnlp/PluginBridge.java b/netx/net/sourceforge/jnlp/PluginBridge.java index 98dee8e..d069479 100644 --- a/netx/net/sourceforge/jnlp/PluginBridge.java +++ b/netx/net/sourceforge/jnlp/PluginBridge.java @@ -188,7 +188,7 @@ public class PluginBridge extends JNLPFile { else security = null; - this.uniqueKey = params.getUniqueKey(); + this.uniqueKey = params.getUniqueKey(codebase); usePack = false; useVersion = false; String jargs = params.getJavaArguments(); diff --git a/netx/net/sourceforge/jnlp/PluginParameters.java b/netx/net/sourceforge/jnlp/PluginParameters.java index 06b1b3c..fa4e8fa 100644 --- a/netx/net/sourceforge/jnlp/PluginParameters.java +++ b/netx/net/sourceforge/jnlp/PluginParameters.java @@ -37,6 +37,7 @@ exception statement from your version. */ package net.sourceforge.jnlp; +import java.net.URL; import java.util.Collections; import java.util.Hashtable; import java.util.Map; @@ -97,10 +98,6 @@ public class PluginParameters { } } - public String getCodebase() { - return getDefaulted("codebase", "."); - } - public boolean useCodebaseLookup() { return Boolean.valueOf(getDefaulted("codebase_lookup", "true")); } @@ -164,7 +161,7 @@ public class PluginParameters { parameters.put("height", Integer.toString(height)); } - public String getUniqueKey() { + public String getUniqueKey(URL codebase) { /* According to http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/applet-compatibility.html, * classloaders are shared iff these properties match: * codebase, cache_archive, java_archive, archive @@ -173,8 +170,9 @@ public class PluginParameters { * always in the same order. The initial "<NAME>=" parts ensure a * bad tag cannot trick the loader into getting shared with another. */ - return "codebase=" + getCodebase() + "cache_archive=" + getCacheArchive() + - "java_archive=" + getJavaArchive() + "archive=" + getArchive(); + return "codebase=" + codebase.toExternalForm() + "cache_archive=" + + getCacheArchive() + "java_archive=" + getJavaArchive() + + "archive=" + getArchive(); } /** |