Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8145383

ESL app signed by expired cert with sandbox permissions is not blocked if main jar is blacklisted

XMLWordPrintable

    • b105
    • Verified

      ENV: win7/x86/jre9-b96
      Steps to reproduce:
      1. Add http://kgb.us.oracle.com:8080 to Exception Site List
      2. Copy http://kgb.us.oracle.com:8080/JawsESL/lib/blacklist to JRE_HOME/lib/secuity
      3. Load jnlp that is expired ca signed and sandboxed:
      javaws http://kgb.us.oracle.com:8080/JawsESL/jnlp/testExpiredCASignedMFSandboxHello.jnlp
      4. Test URL matches ESL entry but its jar blacklisted
      5. If a security warning dialog saying "An unsigned application from the location below is requesting permission to run" show up, then this bug is reproduced. See attachment b96.png
      Expected behavior: app should be blocked

      Note: no such issue with jre9-b95. See attachment b95.png

        1. b95.png
          b95.png
          25 kB
        2. b96.png
          b96.png
          17 kB

            herrick Andy Herrick (Inactive)
            wenjyang Crystal Yang (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: