Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8135115

DRS1.3: App is not blocked when there is a invalid attribute in jnlp-checksum

    XMLWordPrintable

Details

    • b83
    • Verified

    Backports

      Description

        When adding cases to cover JDK-8132336, I found that:
        when set invalid element in jnlp-checksum, for example <jnlp-checksum abc="BSAQgw8ZLyRFpOYiK4+mhQNJOmxmtNb8HNjTsyNvYaI="/>, no blocked dialog saying "Exception parsing Deployment Rule Set file" shows up.

        Steps to reproduce:
        1. Import self ca cert to JCP -> Security -> Manage Certificates -> Singer CA.
            http://kgb.us.oracle.com:8080/DRS13Manual/lib/self.valid.cert
        2. Set up DeploymentRuleSet.jar:
            http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum-WithoutHash-kgb/DeploymentRuleSet.jar
            It sets a invalid element "abc" instead of "hash": <jnlp-checksum abc="BSAQgw8ZLyRFpOYiK4+mhQNJOmxmtNb8HNjTsyNvYaI="/>
            For rule set content, see http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum-WithoutHash-kgb/ruleset.xml
        3. Open browser and load http://kgb.us.oracle.com:8080/DRS13Manual/html/testApps.html
        4. Launch casinged jnlp by clicking on the link testCertsignedAllpermissionJNLPNoHref.jnlp from a browser
        5. If a valid security warning dialog shows up, then this issue is reproduced.
        Expected behavior:
        An application blocked dialog saying "Exception parsing Deployment Rule Set file" should show up. For now, seems it's considered as "none match".

        Note:
        The same issue for:
        1. Set invalid value for "hash", for example, <jnlp-checksum hash="abcdefg"/>. See http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum-WrongHash-kgb/ruleset.xml
        2. Set rule set version to 1.0 and with jnlp-checksum element in ruleset.xml. See http://kgb.us.oracle.com:8080/DRS13Manual/lib/DeploymentRuleSet.jar.run-Jnlp-Checksum--Version-kgb/ruleset.xml
        3. Set empty hash valure, for example, <jnlp-checksum hash=""/>.

        Attachments

          Issue Links

            Activity

              People

                herrick Andy Herrick (Inactive)
                wenjyang Crystal Yang (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: