RH718170, CVE-2011-2514: Java Web Start security warning dialog manipulation

2 files changed, 6 insertions, 3 deletions

diff --git a/netx/net/sourceforge/jnlp/services/XExtendedService.java b/netx/net/sourceforge/jnlp/services/XExtendedService.java
index f03c199..1ac6ed8 100644
--- a/netx/net/sourceforge/jnlp/services/XExtendedService.java
+++ b/netx/net/sourceforge/jnlp/services/XExtendedService.java
@@ -34,10 +34,12 @@ public class XExtendedService implements ExtendedService {
 
     public FileContents openFile(File file) throws IOException {
 
+        File secureFile = new File(file.getPath());
+
         /* FIXME: this opens a file with read/write mode, not just read or write */
-        if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { file.getAbsolutePath() })) {
+        if (ServiceUtil.checkAccess(AccessType.READ_FILE, new Object[] { secureFile.getAbsolutePath() })) {
             return (FileContents) ServiceUtil.createPrivilegedProxy(FileContents.class,
-                    new XFileContents(file));
+                    new XFileContents(secureFile));
         } else {
             return null;
         }
diff --git a/netx/net/sourceforge/jnlp/services/XFileContents.java b/netx/net/sourceforge/jnlp/services/XFileContents.java
index 5e8fed6..de1fe53 100644
--- a/netx/net/sourceforge/jnlp/services/XFileContents.java
+++ b/netx/net/sourceforge/jnlp/services/XFileContents.java
@@ -34,7 +34,8 @@ class XFileContents implements FileContents {
      * Create a file contents implementation for the file.
      */
     protected XFileContents(File file) {
-        this.file = file;
+        // create a safe copy
+        this.file = new File(file.getPath());
     }
 
     /**