-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P2
-
Affects Version/s: 6u24
-
Component/s: deploy
-
b142
-
x86, sparc
-
solaris_10, windows_xp
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2209749 | 6u27 | Abhijit Saha | P2 | Closed | Fixed | b04 |
J2SE Version (please include all output from java -version flag):
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)
Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386
Does this problem occur on J2SE 1.4.x, 1.5 or 6? Yes / No (pick one)
6u24 (only)
Operating System Configuration Information (be specific):
Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386
Hardware Configuration Information (be specific):
Tested on i386
Bug Description:
If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException
since 6u24 and suceeds with 6u23.
Stacktrace:
java.lang.SecurityException: ShowDocument url permission denied
at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102)
at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594)
...
Digging into the source you see a security check introduced with 6u24:
/* 101 */ if (!URLUtil.checkTargetURL(this._codebase, paramURL))
/* 102 */ throw new SecurityException("ShowDocument url permission denied");
First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp".
In URLUtil
* local variable "localURL1" then becomes "http://abc.de/xyz"
* local variable "localURL2" then becomes "file://path/xyz.jnlp"
Then local variable "bool3" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission());
Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false".
Then local variable "bool4" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission());
Since "localURL2" points to a local file, "bool4" is set to "true".
Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false".
This then results in the above mentioned SecurityException.
Steps to Reproduce (be specific):
Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp
Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java
Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar
Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR
java version "1.6.0_24"
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) Client VM (build 19.1-b02, mixed mode, sharing)
Also: 1.6.0_24 32bit Apple Inc OS=Mac OS X 10.6.6 i386
Does this problem occur on J2SE 1.4.x, 1.5 or 6? Yes / No (pick one)
6u24 (only)
Operating System Configuration Information (be specific):
Tested with Windows 2003 Server, Windows7, Debian Linux 2.6.33.3, and Mac OS X 10.6.6 i386
Hardware Configuration Information (be specific):
Tested on i386
Bug Description:
If a trusted and signed WebStart-Application ((valid root chain, VeriSign, application launched by browser) itself starts another WebStart-Application on local file system ("file://.../xyz.jnlp") this fails with a SecurityException
since 6u24 and suceeds with 6u23.
Stacktrace:
java.lang.SecurityException: ShowDocument url permission denied
at com.sun.jnlp.BasicServiceImpl.showDocument(BasicServiceImpl.java:102)
at de.espirit.firstspirit.client.JavaClient$3.onSuccess(JavaClient.java:594)
...
Digging into the source you see a security check introduced with 6u24:
/* 101 */ if (!URLUtil.checkTargetURL(this._codebase, paramURL))
/* 102 */ throw new SecurityException("ShowDocument url permission denied");
First parameter is something like "http://abc.de/xyz", second is "file://path/xyz.jnlp".
In URLUtil
* local variable "localURL1" then becomes "http://abc.de/xyz"
* local variable "localURL2" then becomes "file://path/xyz.jnlp"
Then local variable "bool3" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL1.openConnection().getPermission());
Since "FilePermission.implies(Permission p)" always returns "false" if the provided permission is not a file permission and "localURL1" points to a web address, "bool3" is set to "false".
Then local variable "bool4" is set to
new FilePermission("<<ALL FILES>>", "read").implies(localURL2.openConnection().getPermission());
Since "localURL2" points to a local file, "bool4" is set to "true".
Then the value of "bool3 || ! bool4" is returned, which equates to "false || ! true" == "false || false" == "false".
This then results in the above mentioned SecurityException.
Steps to Reproduce (be specific):
Launch http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jnlp
Source is at http://www.e-spirit.de/mitarbeiter/jodeleit/Bug97548.java
Signed jar file is at http://www.e-spirit.de/mitarbeiter/jodeleit/bug-97548.jar
Issues mentioned inside 7036163 is still reprodubile with latest jdk7 bits. So all the test failures against 7036163 should be listed inside this CR
- backported by
-
JDK-2209749 javax.jnlp.BasicService.showDocument() throws SecurityException for trusted app
-
- Closed
-
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-