File CVE-2019-10181.patch of Package icedtea-web.23597

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-10181.patch of Package icedtea-web.23597

commit 09bcd3ebb639af6cfd83ff2203ffeb80a59cc0eb
Author: Jiri Vanek <jvanek@redhat.com>
Date:   Fri Jun 28 16:05:35 2019 +0200

All files, except signaturre files, are now  checked for signatures

diff --git a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
index 759bedfb..cabfb3c5 100644
--- a/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
+++ b/netx/net/sourceforge/jnlp/tools/JarCertVerifier.java
@@ -41,6 +41,7 @@
 import java.util.Map;
 import java.util.Vector;
 import java.util.jar.JarEntry;
+import java.util.regex.Pattern;
 
 import net.sourceforge.jnlp.JARDesc;
 import net.sourceforge.jnlp.JNLPFile;
@@ -67,6 +68,7 @@
 public class JarCertVerifier implements CertVerifier {
 
     private static final String META_INF = "META-INF/";
+    private static final Pattern SIG = Pattern.compile(".*" + META_INF + "SIG-.*");
 
     // prefix for new signature-related files in META-INF directory
     private static final String SIG_PREFIX = META_INF + "SIG-";
@@ -500,12 +502,20 @@
 
     /**
      * Returns whether a file is in META-INF, and thus does not require signing.
-     * 
+     * <p>
      * Signature-related files under META-INF include: . META-INF/MANIFEST.MF . META-INF/SIG-* . META-INF/*.SF . META-INF/*.DSA . META-INF/*.RSA
      */
     static boolean isMetaInfFile(String name) {
-        String ucName = name.toUpperCase();
-        return ucName.startsWith(META_INF);
+        if (name.endsWith("class")) {
+            return false;
+        }
+        return name.startsWith(META_INF) && (
+                name.endsWith(".MF") ||
+                name.endsWith(".SF") ||
+                name.endsWith(".DSA") ||
+                name.endsWith(".RSA") ||
+                SIG.matcher(name).matches()
+        );
     }
 
     /**
diff --git a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
index 4661fb87..44253e08 100644
--- a/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
+++ b/tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java
@@ -58,9 +58,22 @@ public class JarCertVerifierTest {
     @Test
     public void testIsMetaInfFile() {
         final String METAINF = "META-INF";
+        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF"));
+        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF"));
+        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA"));
+        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA"));
+        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah"));
+
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.MF.class"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.SF.class"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.DSA.class"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/file.RSA.class"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/SIG-blah.blah.class"));
+
         assertFalse(JarCertVerifier.isMetaInfFile("some_dir/" + METAINF + "/filename"));
         assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "filename"));
-        assertTrue(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
+        assertFalse(JarCertVerifier.isMetaInfFile(METAINF + "/filename"));
     }
 
     class JarCertVerifierEntry extends JarEntry {

Places

File CVE-2019-10181.patch of Package icedtea-web.23597

Places