--- a/jdk/src/share/classes/java/net/SocketPermission.java Mon May 02 11:47:55 2011 +0100
+++ b/jdk/src/share/classes/java/net/SocketPermission.java Mon May 02 20:11:18 2011 +0100
@@ -41,7 +41,6 @@
import java.io.IOException;
import sun.net.util.IPAddressUtil;
import sun.security.util.SecurityConstants;
-import sun.security.util.Debug;
/**
@@ -212,32 +211,13 @@
// port range on host
private transient int[] portrange;
- private transient boolean defaultDeny = false;
-
- // true if this SocketPermission represents a hostname
- // that failed our reverse mapping heuristic test
- private transient boolean untrusted;
- private transient boolean trusted;
-
- // true if the sun.net.trustNameService system property is set
- private static boolean trustNameService;
-
- private static Debug debug = null;
- private static boolean debugInit = false;
+ // true if the trustProxy system property is set
+ private static boolean trustProxy;
static {
Boolean tmp = java.security.AccessController.doPrivileged(
- new sun.security.action.GetBooleanAction("sun.net.trustNameService"));
- trustNameService = tmp.booleanValue();
- }
-
- private static synchronized Debug getDebug()
- {
- if (!debugInit) {
- debug = Debug.getInstance("access");
- debugInit = true;
- }
- return debug;
+ new sun.security.action.GetBooleanAction("trustProxy"));
+ trustProxy = tmp.booleanValue();
}
/**
@@ -283,10 +263,6 @@
init(getName(), mask);
}
- private void setDeny() {
- defaultDeny = true;
- }
-
private static String getHost(String host)
{
if (host.equals("")) {
@@ -584,38 +560,6 @@
return mask;
}
- private boolean isUntrusted()
- throws UnknownHostException
- {
- if (trusted) return false;
- if (invalid || untrusted) return true;
- try {
- if (!trustNameService && (defaultDeny ||
- sun.net.www.URLConnection.isProxiedHost(hostname))) {
- if (this.cname == null) {
- this.getCanonName();
- }
- if (!match(cname, hostname) &&
- (defaultDeny || !cname.equals(addresses[0].getHostAddress()))) {
- // Last chance
- if (!authorized(hostname, addresses[0].getAddress())) {
- untrusted = true;
- Debug debug = getDebug();
- if (debug != null && Debug.isOn("failure")) {
- debug.println("socket access restriction: proxied host " + "(" + addresses[0] + ")" + " does not match " + cname + " from reverse lookup");
- }
- return true;
- }
- }
- trusted = true;
- }
- } catch (UnknownHostException uhe) {
- invalid = true;
- throw uhe;
- }
- return false;
- }
-
/**
* attempt to get the fully qualified domain name
*
@@ -623,7 +567,7 @@
void getCanonName()
throws UnknownHostException
{
- if (cname != null || invalid || untrusted) return;
+ if (cname != null || invalid) return;
// attempt to get the canonical name
@@ -649,141 +593,6 @@
}
}
- private String cdomain, hdomain;
-
- private boolean match(String cname, String hname) {
- String a = cname.toLowerCase();
- String b = hname.toLowerCase();
- if (a.startsWith(b) &&
- ((a.length() == b.length()) || (a.charAt(b.length()) == '.')))
- return true;
- if (cdomain == null) {
- cdomain = guessRegisteredDomain(a);
- }
- if (hdomain == null) {
- hdomain = guessRegisteredDomain(b);
- }
-
- return cdomain.length() != 0 && hdomain.length() != 0
- && cdomain.equals(hdomain);
- }
-
-
- /* Apart from special cases, this checks for 2 letter TLD
- * (usually ccTLD) and then for a specific set of common labels
- * indicating likely 2nd level public suffixes. If both conditions
- * true then return right most three labels. Otherwise, return
- * 2 rightmost labels.
- *
- * www.sun.com. -> sun.com
- * www.sun.co.uk -> sun.co.uk
- * www.sun.com.au -> sun.com.au
- */
-
- private String guessRegisteredDomain(String cname) {
- int dot;
- dot = cname.lastIndexOf('.');
- if (dot == -1)
- return cname;
- if (dot == 0)
- return "";
- if (dot == cname.length() - 1) {
- cname = cname.substring(0, cname.length() -1);
- dot = cname.lastIndexOf('.');
- }
- if (dot < 1)
- return "";
- int second = cname.lastIndexOf('.', dot - 1);
- if (second == -1)
- return cname;
- if (((cname.length() - dot) <= 3) && ((dot - second) <= 4) && second > 0) {
- if (dot - second == 4) {
- String s = cname.substring(second + 1, dot);
- if (!(s.equals("com") || s.equals("org") || s.equals("edu"))) {
- return cname.substring(second + 1);
- }
- }
- int third = cname.lastIndexOf('.', second - 1);
- if (third == -1)
- return cname.substring(second + 1);
- else
- return cname.substring(third + 1);
- }
- return cname.substring(second + 1);
- }
-
-
- private boolean authorized(String cname, byte[] addr) {
- if (addr.length == 4)
- return authorizedIPv4(cname, addr);
- else if (addr.length == 16)
- return authorizedIPv6(cname, addr);
- else
- return false;
- }
-
- private boolean authorizedIPv4(String cname, byte[] addr) {
- String authHost = "";
- InetAddress auth;
-
- try {
- authHost = "auth." +
- (addr[3] & 0xff) + "." + (addr[2] & 0xff) + "." +
- (addr[1] & 0xff) + "." + (addr[0] & 0xff) +
- ".in-addr.arpa";
- // Following check seems unnecessary
- // auth = InetAddress.getAllByName0(authHost, false)[0];
- authHost = hostname + '.' + authHost;
- auth = InetAddress.getAllByName0(authHost, false)[0];
- if (auth.equals(InetAddress.getByAddress(addr))) {
- return true;
- }
- Debug debug = getDebug();
- if (debug != null && Debug.isOn("failure")) {
- debug.println("socket access restriction: IP address of " + auth + " != " + InetAddress.getByAddress(addr));
- }
- } catch (UnknownHostException uhe) {
- Debug debug = getDebug();
- if (debug != null && Debug.isOn("failure")) {
- debug.println("socket access restriction: forward lookup failed for " + authHost);
- }
- }
- return false;
- }
-
- private boolean authorizedIPv6(String cname, byte[] addr) {
- String authHost = "";
- InetAddress auth;
-
- try {
- StringBuffer sb = new StringBuffer(39);
-
- for (int i = 15; i >= 0; i--) {
- sb.append(Integer.toHexString(((addr[i]) & 0x0f)));
- sb.append('.');
- sb.append(Integer.toHexString(((addr[i] >> 4) & 0x0f)));
- sb.append('.');
- }
- authHost = "auth." + sb.toString() + "IP6.ARPA";
- //auth = InetAddress.getAllByName0(authHost, false)[0];
- authHost = hostname + '.' + authHost;
- auth = InetAddress.getAllByName0(authHost, false)[0];
- if (auth.equals(InetAddress.getByAddress(addr)))
- return true;
- Debug debug = getDebug();
- if (debug != null && Debug.isOn("failure")) {
- debug.println("socket access restriction: IP address of " + auth + " != " + InetAddress.getByAddress(addr));
- }
- } catch (UnknownHostException uhe) {
- Debug debug = getDebug();
- if (debug != null && Debug.isOn("failure")) {
- debug.println("socket access restriction: forward lookup failed for " + authHost);
- }
- }
- return false;
- }
-
-
/**
* get IP addresses. Sets invalid to true if we can't get them.
*
@@ -911,7 +720,12 @@
// return if either one of these NetPerm objects are invalid...
if (this.invalid || that.invalid) {
- return compareHostnames(that);
+ return (trustProxy ? inProxyWeTrust(that) : false);
+ }
+
+
+ if (this.getName().equalsIgnoreCase(that.getName())) {
+ return true;
}
try {
@@ -964,29 +778,28 @@
that.getIP();
}
- if (!(that.init_with_ip && this.isUntrusted())) {
- for (j = 0; j < this.addresses.length; j++) {
- for (i=0; i < that.addresses.length; i++) {
- if (this.addresses[j].equals(that.addresses[i]))
- return true;
- }
+ for (j = 0; j < this.addresses.length; j++) {
+ for (i=0; i < that.addresses.length; i++) {
+ if (this.addresses[j].equals(that.addresses[i]))
+ return true;
}
-
- // XXX: if all else fails, compare hostnames?
- // Do we really want this?
- if (this.cname == null) {
- this.getCanonName();
- }
-
- if (that.cname == null) {
- that.getCanonName();
- }
-
- return (this.cname.equalsIgnoreCase(that.cname));
}
+ // XXX: if all else fails, compare hostnames?
+ // Do we really want this?
+ if (this.cname == null) {
+ this.getCanonName();
+ }
+
+ if (that.cname == null) {
+ that.getCanonName();
+ }
+
+ return (this.cname.equalsIgnoreCase(that.cname));
+
} catch (UnknownHostException uhe) {
- return compareHostnames(that);
+ if (trustProxy)
+ return inProxyWeTrust(that);
}
// make sure the first thing that is done here is to return
@@ -995,23 +808,19 @@
return false;
}
- private boolean compareHostnames(SocketPermission that) {
- // we see if the original names/IPs passed in were equal.
+ private boolean inProxyWeTrust(SocketPermission that) {
+ // if we trust the proxy, we see if the original names/IPs passed
+ // in were equal.
String thisHost = hostname;
String thatHost = that.hostname;
- if (thisHost == null) {
+ if (thisHost == null)
return false;
- } else if (this.wildcard) {
- final int cnameLength = this.cname.length();
- return thatHost.regionMatches(true,
- (thatHost.length() - cnameLength), this.cname, 0, cnameLength);
- } else {
+ else
return thisHost.equalsIgnoreCase(thatHost);
- }
+
}
-
/**
* Checks two SocketPermission objects for equality.
* <P>