From 3ae2d29984608ceeec5e45a094804f557325040e Mon Sep 17 00:00:00 2001 From: michaelm Date: Wed, 23 Oct 2013 11:00:12 +0100 Subject: [PATCH] 8025734: Use literal IP address where possible in SocketPermission generated by HttpURLPermission Reviewed-by: chegar --- .../www/protocol/http/HttpURLConnection.java | 12 ++ .../net/URLPermission/nstest/LookupTest.java | 122 ++++++++++++++++++ ....net.spi.nameservice.NameServiceDescriptor | 22 ++++ .../nstest/SimpleNameService.java | 102 +++++++++++++++ .../nstest/SimpleNameServiceDescriptor.java | 52 ++++++++ test/java/net/URLPermission/nstest/policy | 41 ++++++ 6 files changed, 351 insertions(+) create mode 100644 test/java/net/URLPermission/nstest/LookupTest.java create mode 100644 test/java/net/URLPermission/nstest/META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor create mode 100644 test/java/net/URLPermission/nstest/SimpleNameService.java create mode 100644 test/java/net/URLPermission/nstest/SimpleNameServiceDescriptor.java create mode 100644 test/java/net/URLPermission/nstest/policy diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index 0a327cca4..bab8305bb 100644 --- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -903,6 +903,18 @@ public class HttpURLConnection extends java.net.HttpURLConnection { private String getHostAndPort(URL url) { String host = url.getHost(); + final String hostarg = host; + try { + // lookup hostname and use IP address if available + host = AccessController.doPrivileged( + new PrivilegedExceptionAction() { + public String run() throws IOException { + InetAddress addr = InetAddress.getByName(hostarg); + return addr.getHostAddress(); + } + } + ); + } catch (PrivilegedActionException e) {} int port = url.getPort(); if (port == -1) { String scheme = url.getProtocol(); diff --git a/test/java/net/URLPermission/nstest/LookupTest.java b/test/java/net/URLPermission/nstest/LookupTest.java new file mode 100644 index 000000000..5b7635765 --- /dev/null +++ b/test/java/net/URLPermission/nstest/LookupTest.java @@ -0,0 +1,122 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* @test + * @compile -XDignore.symbol.file=true SimpleNameService.java + * SimpleNameServiceDescriptor.java + * @run main/othervm/timeout=200 -Dsun.net.spi.nameservice.provider.1=simple,sun LookupTest + */ + +/** + * This is a simple smoke test of the HttpURLPermission mechanism, which + * checks for either IOException (due to unknown host) or SecurityException + * due to lack of permission to connect + */ + +import java.net.*; +import java.io.*; + +public class LookupTest { + + static void test( + String url, boolean throwsSecException, boolean throwsIOException) + { + try { + URL u = new URL(url); + System.err.println ("Connecting to " + u); + URLConnection urlc = u.openConnection(); + InputStream is = urlc.getInputStream(); + } catch (SecurityException e) { + if (!throwsSecException) { + throw new RuntimeException ("(1) was not expecting " + e); + } + return; + } catch (IOException ioe) { + if (!throwsIOException) { + throw new RuntimeException ("(2) was not expecting " + ioe); + } + return; + } + if (throwsSecException || throwsIOException) { + System.err.printf ("was expecting a %s\n", throwsSecException ? + "security exception" : "IOException"); + throw new RuntimeException("was expecting an exception"); + } + } + + public static void main(String args[]) throws Exception { + SimpleNameService.put("allowedAndFound.com", "127.0.0.1"); + SimpleNameService.put("notAllowedButFound.com", "99.99.99.99"); + // name "notAllowedAndNotFound.com" is not in map + // name "allowedButNotfound.com" is not in map + startServer(); + + String policyFileName = "file://" + System.getProperty("test.src", ".") + "/policy"; + System.err.println ("policy = " + policyFileName); + + System.setProperty("java.security.policy", policyFileName); + + System.setSecurityManager(new SecurityManager()); + + test("http://allowedAndFound.com:50100/foo", false, false); + + test("http://notAllowedButFound.com:50100/foo", true, false); + + test("http://allowedButNotfound.com:50100/foo", false, true); + + test("http://notAllowedAndNotFound.com:50100/foo", true, false); + } + + static Thread server; + static ServerSocket serverSocket; + + static class Server extends Thread { + public void run() { + byte[] buf = new byte[1000]; + try { + while (true) { + Socket s = serverSocket.accept(); + InputStream i = s.getInputStream(); + i.read(buf); + OutputStream o = s.getOutputStream(); + String rsp = "HTTP/1.1 200 Ok\r\n" + + "Connection: close\r\nContent-length: 0\r\n\r\n"; + o.write(rsp.getBytes()); + o.close(); + } + } catch (IOException e) { + return; + } + } + } + + static void startServer() { + try { + serverSocket = new ServerSocket(50100); + server = new Server(); + server.start(); + } catch (Exception e) { + throw new RuntimeException ("Test failed to initialize"); + } + } +} diff --git a/test/java/net/URLPermission/nstest/META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor b/test/java/net/URLPermission/nstest/META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor new file mode 100644 index 000000000..b7527c070 --- /dev/null +++ b/test/java/net/URLPermission/nstest/META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor @@ -0,0 +1,22 @@ +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. + +SimpleNameServiceDescriptor # name service provider descriptor diff --git a/test/java/net/URLPermission/nstest/SimpleNameService.java b/test/java/net/URLPermission/nstest/SimpleNameService.java new file mode 100644 index 000000000..9d584558b --- /dev/null +++ b/test/java/net/URLPermission/nstest/SimpleNameService.java @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * A simple name service based on an in-memory HashMap. + */ +import java.net.UnknownHostException; +import java.net.InetAddress; +import sun.net.spi.nameservice.*; +import java.util.*; + +public final class SimpleNameService implements NameService { + + private static LinkedHashMap hosts = new LinkedHashMap(); + + private static String addrToString(byte addr[]) { + return Byte.toString(addr[0]) + "." + + Byte.toString(addr[1]) + "." + + Byte.toString(addr[2]) + "." + + Byte.toString(addr[3]); + } + + // ------------ + + public static void put(String host, String addr) { + hosts.put(host, addr); + } + + public static void put(String host, byte addr[]) { + hosts.put(host, addrToString(addr)); + } + + public static void remove(String host) { + hosts.remove(host); + } + + public static int entries () { + return hosts.size(); + } + + public static int lookupCalls() { + return lookupCalls; + } + + static int lookupCalls = 0; + + // ------------ + + public SimpleNameService() throws Exception { + } + + public InetAddress[] lookupAllHostAddr(String host) throws UnknownHostException { + + lookupCalls ++; + + String value = (String)hosts.get(host); + if (value == null) { + throw new UnknownHostException(host); + } + StringTokenizer st = new StringTokenizer(value, "."); + byte addr[] = new byte[4]; + for (int i=0; i<4; i++) { + addr[i] = (byte)Integer.parseInt(st.nextToken()); + } + InetAddress[] res = new InetAddress[1]; + res[0] = InetAddress.getByAddress(host, addr); + return res; + } + + public String getHostByAddr(byte[] addr) throws UnknownHostException { + String addrString = addrToString(addr); + Iterator i = hosts.keySet().iterator(); + while (i.hasNext()) { + String host = (String)i.next(); + String value = (String)hosts.get(host); + if (value.equals(addrString)) { + return host; + } + } + throw new UnknownHostException(); + } +} diff --git a/test/java/net/URLPermission/nstest/SimpleNameServiceDescriptor.java b/test/java/net/URLPermission/nstest/SimpleNameServiceDescriptor.java new file mode 100644 index 000000000..373d10b2d --- /dev/null +++ b/test/java/net/URLPermission/nstest/SimpleNameServiceDescriptor.java @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * Descriptor for the simple name service + */ +import sun.net.spi.nameservice.*; + +public final class SimpleNameServiceDescriptor implements NameServiceDescriptor { + /** + * Create a new instance of the corresponding name service. + */ + public NameService createNameService() throws Exception { + return new SimpleNameService(); + } + + /** + * Returns this service provider's name + * + */ + public String getProviderName() { + return "sun"; + } + + /** + * Returns this name service type + * "dns" "nis" etc + */ + public String getType() { + return "simple"; + } +} diff --git a/test/java/net/URLPermission/nstest/policy b/test/java/net/URLPermission/nstest/policy new file mode 100644 index 000000000..967af68d0 --- /dev/null +++ b/test/java/net/URLPermission/nstest/policy @@ -0,0 +1,41 @@ +// +// Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +// +// This code is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License version 2 only, as +// published by the Free Software Foundation. +// +// This code is distributed in the hope that it will be useful, but WITHOUT +// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +// FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +// version 2 for more details (a copy is included in the LICENSE file that +// accompanied this code). +// +// You should have received a copy of the GNU General Public License version +// 2 along with this work; if not, write to the Free Software Foundation, +// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +// +// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +// or visit www.oracle.com if you need additional information or have any +// questions. +// + +grant { + permission java.net.URLPermission "http://allowedAndFound.com:50100/-", "*:*"; + permission java.net.URLPermission "http://allowedButNotfound.com:50100/-", "*:*"; + + // needed for HttpServer + permission "java.net.SocketPermission" "localhost:1024-", "resolve,accept"; +}; + +// Normal permissions that aren't granted when run under jtreg + +grant codeBase "file:${{java.ext.dirs}}/*" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${{java.home}}/jre/lib/rt.jar" { + permission java.security.AllPermission; +}; + -- GitLab