File CVE-2019-10181.patch of Package icedtea-web.12078
commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb
Author: Jiri Vanek <jvanek@redhat.com>
Date: Fri Jun 28 16:05:35 2019 +0200
All files, except signaturre files, are now checked for signatures
diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
index 759bedfb..cabfb3c5 100644
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
@@ -41,6 +41,7 @@
import java.util.Map;
import java.util.Vector;
import java.util.jar.JarEntry;
+import java.util.regex.Pattern;
import net.sourceforge.jnlp.JARDesc;
import net.sourceforge.jnlp.JNLPFile;
@@ -67,6 +68,7 @@
public class JarCertVerifier implements CertVerifier {
private static final String META_INF = "META-INF/";
+ private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*");
// prefix for new signature-related files in META-INF directory
private static final String SIG_PREFIX = META_INF + "SIG-";
@@ -500,12 +502,20 @@
/**
* Returns whether a file is in META-INF, and thus does not require signing.
- *
+ * <p>
* Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA
*/
static boolean isMetaInfFile(String name) {
- String ucName = name.toUpperCase();
- return ucName.startsWith(META_INF);
+ if (name.endsWith("class")) {
+ return false;
+ }
+ return name.startsWith(META_INF) && (
+ name.endsWith(".MF") ||
+ name.endsWith(".SF") ||
+ name.endsWith(".DSA") ||
+ name.endsWith(".RSA") ||
+ SIG.matcher(name).matches()
+ );
}
/**
diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
index 4661fb87..44253e08 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
@@ -58,9 +58,22 @@ public class JarCertVerifierTest {
@Test
public void testIsMetaInfFile() {
final String METAINF = "META-INF";
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA"));
+ assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah"));
+
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class"));
+
assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename"));
assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename"));
- assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+ assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
}
class JarCertVerifierEntry extends JarEntry {