5 files changed, 23 insertions, 11 deletions

diff --git a/ChangeLog b/ChangeLog
index 3f40616..605e8dc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2013-04-17 Adam Domurad  <[email protected]>
+           Jiri Vanek <[email protected]>
+
+    CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with
+    same relative-path.
+    * netx/net/sourceforge/jnlp/PluginParameters.java
+    (getCodeBase): Removed
+    (getUniqueKey): Now takes absolute codebase
+    * netx/net/sourceforge/jnlp/NetxPanel.java: Pass absolute codebase in
+    getUniqueKey calls.
+    * netx/net/sourceforge/jnlp/PluginBridge.java: Same.
+
+
 2013-04-17  Jiri Vanek <[email protected]>
 
 	Fixed gifar vulnereability with automated testcase
diff --git a/NEWS b/NEWS
index d5383e5..2148fa3 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,7 @@ New in release 1.4 (2012-XX-XX):
 * User can select its own JVM via itw-settings and deploy.properties.
 * Added extended applets security settings and dialogue
 * Security updates
+  - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path.
   - CVE-2013-1927, RH884705: fixed gifar vulnerabilit
   - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location
   - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings
diff --git a/netx/net/sourceforge/jnlp/NetxPanel.java b/netx/net/sourceforge/jnlp/NetxPanel.java
index 8a51566..e9647c8 100644
--- a/netx/net/sourceforge/jnlp/NetxPanel.java
+++ b/netx/net/sourceforge/jnlp/NetxPanel.java
@@ -72,7 +72,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController {
 
         this.parameters = params;
 
-        String uniqueKey = params.getUniqueKey();
+        String uniqueKey = params.getUniqueKey(getCodeBase());
         synchronized(TGMapMutex) {
             if (!uKeyToTG.containsKey(uniqueKey)) {
                 ThreadGroup tg = new ThreadGroup(Launcher.mainGroup, this.documentURL.toString());
@@ -199,7 +199,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController {
 
     public ThreadGroup getThreadGroup() {
         synchronized(TGMapMutex) {
-            return uKeyToTG.get(parameters.getUniqueKey());
+            return uKeyToTG.get(parameters.getUniqueKey(getCodeBase()));
         }
     }
 
@@ -209,7 +209,7 @@ public class NetxPanel extends AppletViewerPanel implements SplashController {
         }
         // only create a new context if one hasn't already been created for the
         // applets with this unique key.
-        if (null == appContextCreated.putIfAbsent(parameters.getUniqueKey(), Boolean.TRUE)) {
+        if (null == appContextCreated.putIfAbsent(parameters.getUniqueKey(getCodeBase()), Boolean.TRUE)) {
             SunToolkit.createNewAppContext();
         }
     }
diff --git a/netx/net/sourceforge/jnlp/PluginBridge.java b/netx/net/sourceforge/jnlp/PluginBridge.java
index 98dee8e..d069479 100644
--- a/netx/net/sourceforge/jnlp/PluginBridge.java
+++ b/netx/net/sourceforge/jnlp/PluginBridge.java
@@ -188,7 +188,7 @@ public class PluginBridge extends JNLPFile {
         else
             security = null;
 
-        this.uniqueKey = params.getUniqueKey();
+        this.uniqueKey = params.getUniqueKey(codebase);
         usePack = false;
         useVersion = false;
         String jargs = params.getJavaArguments();
diff --git a/netx/net/sourceforge/jnlp/PluginParameters.java b/netx/net/sourceforge/jnlp/PluginParameters.java
index 06b1b3c..fa4e8fa 100644
--- a/netx/net/sourceforge/jnlp/PluginParameters.java
+++ b/netx/net/sourceforge/jnlp/PluginParameters.java
@@ -37,6 +37,7 @@ exception statement from your version. */
 
 package net.sourceforge.jnlp;
 
+import java.net.URL;
 import java.util.Collections;
 import java.util.Hashtable;
 import java.util.Map;
@@ -97,10 +98,6 @@ public class PluginParameters {
         }
     }
 
-    public String getCodebase() {
-        return getDefaulted("codebase", ".");
-    }
-
     public boolean useCodebaseLookup() {
         return Boolean.valueOf(getDefaulted("codebase_lookup", "true"));
     }
@@ -164,7 +161,7 @@ public class PluginParameters {
         parameters.put("height", Integer.toString(height));
     }
 
-    public String getUniqueKey() {
+    public String getUniqueKey(URL codebase) {
         /* According to http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/applet-compatibility.html, 
         * classloaders are shared iff these properties match:
         * codebase, cache_archive, java_archive, archive
@@ -173,8 +170,9 @@ public class PluginParameters {
         * always in the same order. The initial "<NAME>=" parts ensure a 
         * bad tag cannot trick the loader into getting shared with another.
         */
-        return "codebase=" + getCodebase() + "cache_archive=" + getCacheArchive() +
-                "java_archive=" + getJavaArchive() + "archive=" + getArchive();
+        return "codebase=" + codebase.toExternalForm() + "cache_archive="
+                + getCacheArchive() + "java_archive=" + getJavaArchive()
+                + "archive=" + getArchive();
     }
 
     /**