New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixing CVEs 2019- 10181, 10182, 10185 found by Imre Rad - master #344
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…VE-2019-10182 * netx/net/sourceforge/jnlp/cache/CacheUtil.java: if path or query contains .. is saved to cache via its hash * netx/net/sourceforge/jnlp/util/FileUtils.java: added warning about different behavior on win/linux * tests/netx/unit/net/sourceforge/jnlp/cache/CacheUtilTest.java: added tests for hashing * tests/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: added test for .. in path. Added test that verifies encoded .. (%2E%2E) do not leak from cahce * tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with .. full url * tests/netx/unit/net/sourceforge/jnlp/runtime/up.jnlp: example jnlp with encoded ..
…019-10185 * tests/netx/unit/net/sourceforge/jnlp/runtime/jar03_dotdotN1.jar: crafted jar with hacked zip entries to be named like ".." * tests/netx/unit/net/sourceforge/jnlp/runtime/jar_03_dotdot_jarN1.jnlp: jnlp to call jar03_dotdotN1.jar * netx/net/sourceforge/jnlp/cache/CacheUtil.jsava: (hex) made public to be reused in JNLPClassLoader * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: if nested jar contains .. in path, is extracted as hashed
…VE-2019-10181 * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java: (isMetaInfFile) fixed bug, when anything in META-INF was not checked for signature. Now only signature files are skipped * tests/netx/unit/net/sourceforge/jnlp/tools/JarCertVerifierTest.java: added tests for check if file should be skipped from signature check * sts/netx/unit/net/sourceforge/jnlp/runtime/JNLPClassLoaderTest.java: splitted testRelativePathInNestedJars to itself without certificate chech testDifferentSignatureInManifestMf as the differetn signature is now not passable
…odebase is suddenly no longer deducted by itw Added explicit . codebase to the test jnlp file jar_03_dotdot_jarN1.jnlp
|
btw the 140c981 is candidate for revert, and fix the regression to make this test pass. The default codebase absence will make many no longer maintained apps to die |
|
So good to commit tomorrow? |
sclassen
approved these changes
Aug 2, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
No description provided.