6691503: Malicious applet can show always-on-top popup menu which has whole screen size
authormlapshin
Wed, 23 Apr 2008 18:06:34 +0400
changeset 414 05c1395dbe48
parent 413 df8242b2f5cf
child 415 23e75436b8f6
child 453 145f4ac00bfd
6691503: Malicious applet can show always-on-top popup menu which has whole screen size Summary: The fix for 6675802 is replaced by a try-catch clause that catches SequrityExceptions for applets. Reviewed-by: alexp
jdk/src/share/classes/javax/swing/Popup.java
jdk/test/javax/swing/JPopupMenu/6691503/bug6691503.java
--- a/jdk/src/share/classes/javax/swing/Popup.java	Fri Apr 18 18:21:02 2008 +0400
+++ b/jdk/src/share/classes/javax/swing/Popup.java	Wed Apr 23 18:06:34 2008 +0400
@@ -229,14 +229,15 @@
             // Popups are typically transient and most likely won't benefit
             // from true double buffering.  Turn it off here.
             getRootPane().setUseTrueDoubleBuffering(false);
-            java.security.AccessController.doPrivileged(
-                    new java.security.PrivilegedAction<Object>() {
-                        public Object run() {
-                            setAlwaysOnTop(true);
-                            return null;
-                        }
-                    }
-            );
+            // Try to set "always-on-top" for the popup window.
+            // Applets usually don't have sufficient permissions to do it.
+            // In this case simply ignore the exception.
+            try {
+                setAlwaysOnTop(true);
+            } catch (SecurityException se) {
+                // setAlwaysOnTop is restricted,
+                // the exception is ignored
+            }
         }
 
         public void update(Graphics g) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/javax/swing/JPopupMenu/6691503/bug6691503.java	Wed Apr 23 18:06:34 2008 +0400
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6691503
+ * @summary Checks that there is no opportunity for a malicious applet
+ * to show a popup menu which has whole screen size.
+ * a heaviweight popup menu is shown from an applet.
+ * @author Mikhail Lapshin
+ * @run main bug6691503
+ */
+
+import sun.awt.SunToolkit;
+
+import javax.swing.*;
+import java.awt.*;
+
+public class bug6691503 {
+    private JPopupMenu popupMenu;
+    private JFrame frame;
+    private boolean isAlwaysOnTop1 = false;
+    private boolean isAlwaysOnTop2 = true;
+
+    public static void main(String[] args) {
+        bug6691503 test = new bug6691503();
+        test.setupUI();
+        test.testApplication();
+        test.testApplet();
+        test.checkResult();
+        test.stopEDT();
+    }
+
+    private void setupUI() {
+        SwingUtilities.invokeLater(new Runnable() {
+            public void run() {
+                frame = new JFrame();
+                frame.setVisible(true);
+                popupMenu = new JPopupMenu();
+                JMenuItem click = new JMenuItem("Click");
+                popupMenu.add(click);
+            }
+        });
+    }
+
+    private void testApplication() {
+        SwingUtilities.invokeLater(new Runnable() {
+            public void run() {
+                popupMenu.show(frame, 0, 0);
+                Window popupWindow = (Window)
+                        (popupMenu.getParent().getParent().getParent().getParent());
+                isAlwaysOnTop1 = popupWindow.isAlwaysOnTop();
+                System.out.println(
+                        "Application: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop1);
+                popupMenu.setVisible(false);
+            }
+        });
+    }
+
+    private void testApplet() {
+        SwingUtilities.invokeLater(new Runnable() {
+            public void run() {
+                System.setSecurityManager(new SecurityManager());
+                popupMenu.show(frame, 0, 0);
+                Window popupWindow = (Window)
+                        (popupMenu.getParent().getParent().getParent().getParent());
+                isAlwaysOnTop2 = popupWindow.isAlwaysOnTop();
+                System.out.println(
+                        "Applet: popupWindow.isAlwaysOnTop() = " + isAlwaysOnTop2);
+                popupMenu.setVisible(false);
+            }
+        });
+    }
+
+    private void checkResult() {
+        ((SunToolkit)(Toolkit.getDefaultToolkit())).realSync();
+        if (!isAlwaysOnTop1 || isAlwaysOnTop2) {
+            throw new RuntimeException("Malicious applet can show always-on-top " +
+                    "popup menu which has whole screen size");
+        }
+        System.out.println("Test passed");
+    }
+
+    private void stopEDT() {
+        SwingUtilities.invokeLater(new Runnable() {
+            public void run() {
+                frame.dispose();
+            }
+        });
+    }
+}
+
+