- Ensure that when files are extracted that their fully resolved path lies

in or below the current working directory. Fixes a security problem with jar. From FreeBSD. - Fix timezone issues. Allow /etc/localtime to be a symlink and fix the case where /etc/localtime points to a tz that the jdk doesn't know about. - timezone is a function on BSD, not a variable, so move the timezone == 0 check to the non-BSD section. from millert@
2005-06-03 20:36:07 +00:00 · 2005-06-03 20:36:07 +00:00 · 7d765564c2
commit 7d765564c2
parent 02f51a6cd8
4 changed files with 177 additions and 3 deletions
--- a/devel/jdk/1.5/Makefile
+++ b/devel/jdk/1.5/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.2 2005/05/27 09:34:01 espie Exp $
+# $OpenBSD: Makefile,v 1.3 2005/06/03 20:36:07 kurt Exp $

 ONLY_FOR_ARCHS= 	i386

@ -6,8 +6,8 @@ COMMENT=		"Java2(TM) Standard Edition Dev Kit v${V}"
 COMMENT-jre=		"Java2(TM) Standard Edition Runtime Environment v${V}"
 V=			1.5.0
 DISTNAME=		jdk-1_5_0
-PKGNAME=		jdk-${V}
-PKGNAME-jre=		jre-${V}
+PKGNAME=		jdk-${V}p0
+PKGNAME-jre=		jre-${V}p0

 CATEGORIES=		devel/jdk java

--- a/devel/jdk/1.5/patches/patch-j2se_src_share_classes_sun_tools_jar_Main_java
+++ b/devel/jdk/1.5/patches/patch-j2se_src_share_classes_sun_tools_jar_Main_java
@ -0,0 +1,53 @@
+$OpenBSD: patch-j2se_src_share_classes_sun_tools_jar_Main_java,v 1.1 2005/06/03 20:36:08 kurt Exp $
+--- j2se/src/share/classes/sun/tools/jar/Main.java.orig	Tue Oct 19 14:58:45 2004
+++ j2se/src/share/classes/sun/tools/jar/Main.java	Thu Jun  2 15:32:28 2005
+@@ -31,6 +31,7 @@ class Main {
+     Hashtable filesTable = new Hashtable();
+     Vector paths = new Vector();
+     Vector v;
+    String cwd;
+     CRC32 crc32 = new CRC32();
+     /* cflag: create
+      * uflag: update       
+@@ -670,6 +671,19 @@ class Main {
+      * Extracts specified entries from JAR file.
+      */
+     void extract(InputStream in, String files[]) throws IOException {
+    	// Current working directory
+
+	cwd = System.getProperty("user.dir");
+	if (cwd == null) {
+            fatalError(getMsg("error.no.cwd"));
+	}
+	cwd = (new File(cwd)).getCanonicalPath();
+	if (!cwd.endsWith(File.separator)) {
+	    cwd += File.separator;
+	}
+
+	// Extract the files
+
+ 	ZipInputStream zis = new ZipInputStream(in);
+ 	ZipEntry e;
+ 	while ((e = zis.getNextEntry()) != null) {
+@@ -694,6 +708,10 @@ class Main {
+     void extractFile(ZipInputStream zis, ZipEntry e) throws IOException {
+         String name = e.getName();
+ 	File f = new File(e.getName().replace('/', File.separatorChar));
+	if (!f.getCanonicalPath().startsWith(cwd)) {
+ 	    output(formatMsg("out.ignore.entry", name));
+	    return;
+	}
+ 	if (e.isDirectory()) {
+ 	    if (!f.exists() && !f.mkdirs() || !f.isDirectory()) {
+ 		throw new IOException(formatMsg("error.create.dir", f.getPath()));
+@@ -704,6 +722,10 @@ class Main {
+ 	} else {
+ 	    if (f.getParent() != null) {
+ 		File d = new File(f.getParent());
+		if (!d.getCanonicalPath().startsWith(cwd)) {
+	 	    output(formatMsg("out.ignore.entry", name));
+		    return;
+		}
+ 		if (!d.exists() && !d.mkdirs() || !d.isDirectory()) {
+ 		    throw new IOException(formatMsg("error.create.dir", d.getPath()));
+ 		}
--- a/devel/jdk/1.5/patches/patch-j2se_src_share_classes_sun_tools_jar_resources_jar_properties
+++ b/devel/jdk/1.5/patches/patch-j2se_src_share_classes_sun_tools_jar_resources_jar_properties
@ -0,0 +1,12 @@
+$OpenBSD: patch-j2se_src_share_classes_sun_tools_jar_resources_jar_properties,v 1.1 2005/06/03 20:36:08 kurt Exp $
+--- j2se/src/share/classes/sun/tools/jar/resources/jar.properties.orig	Tue Oct 19 14:58:45 2004
+++ j2se/src/share/classes/sun/tools/jar/resources/jar.properties	Thu Jun  2 15:33:37 2005
+@@ -30,6 +30,8 @@ error.create.dir=\
+         {0} : could not create directory
+ error.incorrect.length=\
+         incorrect length while processing: {0}
+error.no.cwd=\
+	{0} : could not determine current working directory
+ out.added.manifest=\
+         added manifest
+ out.update.manifest=\
--- a/devel/jdk/1.5/patches/patch-j2se_src_solaris_native_java_util_TimeZone_md_c
+++ b/devel/jdk/1.5/patches/patch-j2se_src_solaris_native_java_util_TimeZone_md_c
@ -0,0 +1,109 @@
+$OpenBSD: patch-j2se_src_solaris_native_java_util_TimeZone_md_c,v 1.1 2005/06/03 20:36:08 kurt Exp $
+--- j2se/src/solaris/native/java/util/TimeZone_md.c.orig	Thu Jun  2 15:16:06 2005
+++ j2se/src/solaris/native/java/util/TimeZone_md.c	Thu Jun  2 15:16:30 2005
+@@ -38,7 +38,7 @@ static const char *sysconfig_clock_file 
+ #endif
+ 
+ static const char *zoneinfo_dir = "/usr/share/zoneinfo";
+-static const char *defailt_zoneinfo_file = "/etc/localtime";
+static const char *default_zoneinfo_file = "/etc/localtime";
+ 
+ /*
+  * Returns a point to the zone ID portion of the given zoneinfo file
+@@ -181,6 +181,7 @@ getPlatformTimeZoneID()
+     int fd;
+     char *buf;
+     size_t size;
+    char zoneinfo_file[PATH_MAX+1];
+ 
+ #ifdef __linux__
+     /*
+@@ -242,11 +243,13 @@ getPlatformTimeZoneID()
+     /*
+      * Next, try /etc/localtime to find the zone ID.
+      */
+-    if (lstat(defailt_zoneinfo_file, &statbuf) == -1) {
+    if (lstat(default_zoneinfo_file, &statbuf) == -1) {
+ 	return NULL;
+     }
+ 
+-#ifdef __linux__
+    strlcpy(zoneinfo_file, default_zoneinfo_file, PATH_MAX+1);
+
+#if defined(__linux__) || defined(_ALLBSD_SOURCE)
+     /*
+      * If it's a symlink, get the link name and its zone ID part. (The
+      * older versions of timeconfig created a symlink as described in
+@@ -255,22 +258,25 @@ getPlatformTimeZoneID()
+      * from /etc/localtime.)
+      */
+     if (S_ISLNK(statbuf.st_mode)) {
+-	char linkbuf[PATH_MAX+1];
+ 	int len;
+ 
+-	if ((len = readlink(defailt_zoneinfo_file, linkbuf, sizeof(linkbuf)-1)) == -1) {
+	if ((len = readlink(default_zoneinfo_file, zoneinfo_file, sizeof(zoneinfo_file)-1)) == -1) {
+ 	    jio_fprintf(stderr, (const char *) "can't get a symlink of %s\n",
+-			defailt_zoneinfo_file);
+			default_zoneinfo_file);
+ 	    return NULL;
+ 	}
+-	linkbuf[len] = '\0';
+-	tz = getZoneName(linkbuf);
+	zoneinfo_file[len] = '\0';
+	tz = getZoneName(zoneinfo_file);
+ 	if (tz != NULL) {
+ 	    tz = strdup(tz);
+	    return tz;
+	} else {
+	    if (lstat(zoneinfo_file, &statbuf) == -1) {
+		return NULL;
+	    }
+ 	}
+-	return tz;
+     }
+-#endif /* __linux__ */
+#endif /* __linux__ || _ALLBSD_SOURCE */
+ 
+     /*
+      * If it's a regular file, we need to find out the same zoneinfo file
+@@ -281,7 +287,7 @@ getPlatformTimeZoneID()
+     if (buf == NULL) {
+ 	return NULL;
+     }
+-    if ((fd = open(defailt_zoneinfo_file, O_RDONLY)) == -1) {
+    if ((fd = open(zoneinfo_file, O_RDONLY)) == -1) {
+ 	free((void *) buf);
+ 	return NULL;
+     }
+@@ -554,24 +560,21 @@ getGMTOffsetID()
+     time_t clock;
+ #endif
+ 
+-    if (timezone == 0) {
+-	return strdup("GMT");
+-    }
+-
+-    /* Note that the time offset direction is opposite. */
+ #if defined(_ALLBSD_SOURCE)
+     clock = time(NULL);
+     tzset();
+     local_tm = localtime(&clock);
+-    if (local_tm->tm_gmtoff > 0) {
+    if (local_tm->tm_gmtoff >= 0) {
+ 	offset = (time_t) local_tm->tm_gmtoff;
+-	sign = "-";
+	sign = "+";
+     } else {
+ 	offset = (time_t) -local_tm->tm_gmtoff;
+-	sign = "+";
+	sign = "-";
+     }
+ #else
+-    if (timezone > 0) {
+    if (timezone == 0) {
+	return strdup("GMT");
+    } else if (timezone > 0) {
+ 	offset = timezone;
+ 	sign = '-';
+     } else {