Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8120049

Missing doPrivileged calls in CSS initialization leads to exceptions in untrusted apps

    Details

      Description

      If the Control class is initialized from an untrusted code, it will throw a SecurityException.

      This can happen when running an unsigned app as an applet or javaws application with a custom preloader that does not use any controls. In this case, I get the following exception:

      java.lang.ExceptionInInitializerError
              at applifecycle.SingleStageRelaunch.start(SingleStageRelaunch.java:37)
              at com.sun.javafx.applet.FXApplet2$1.run(FXApplet2.java:131)
              at com.sun.javafx.application.PlatformImpl$3.run(PlatformImpl.java:111)
              at com.sun.glass.ui.win.WinApplication._runLoop(Native Method)
              at com.sun.glass.ui.win.WinApplication.access$100(WinApplication.java:29)
              at com.sun.glass.ui.win.WinApplication$1$1.run(WinApplication.java:49)
              at java.lang.Thread.run(Unknown Source)
      Caused by: java.lang.NullPointerException
              at javafx.scene.control.Control.<clinit>(Control.java:75)
              ... 7 more

      The offending code is:

          static {
              // Ensures that the caspian.css file is set as the user agent style sheet
              // when the first control is created.
              java.net.URL url = SkinBase.class.getResource("caspian/caspian.css");
       ----> StyleManager.getInstance().setDefaultUserAgentStylesheet(url.toExternalForm());
          }


      Wrapping this call in a doPrivileged fixes the problem, at least for the simple test case I tried.

        Attachments

        1. RT-16121
          7 kB
        2. RT-16121
          7 kB
        3. TransparentDialog.png
          TransparentDialog.png
          95 kB

          Issue Links

            Activity

              People

              • Assignee:
                dgrieve David Grieve
                Reporter:
                kcr Kevin Rushforth
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Imported: