JDK-6691503 : Malicious applet can show always-on-top popup menu which has whole screen size
  • Type: Bug
  • Component: client-libs
  • Sub-Component: javax.swing
  • Affected Version: 7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-04-21
  • Updated: 2015-03-17
  • Resolved: 2008-04-30
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b27Fixed
Related Reports
Relates :  
JDK-6580930 - Swing Popups should overlap taskbar
Relates :  
JDK-6675802 - Regression: heavyweight popups cause SecurityExceptions in applets
Relates :  
JDK-6694823 - A popup menu can be partially hidden under the task bar in applets
Relates :  
JDK-8074481 - [macosx] Menu items are appearing on top of other windows
Description
There is an oversight in the fix for 6675802. It allows a malicious applet to show an always-on-top popup menu which has the whole screen size. A code example is below:
=== Source Begin ===
import javax.swing.*;
import java.awt.*;

public class MaliciousApplet extends JApplet {
    public void start() {
        JPopupMenu popupMenu = new JPopupMenu();
        popupMenu.add(new JMenuItem("Click"));

        Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
        popupMenu.setPopupSize(screenSize);

        popupMenu.show(null, 0, 0);
    }
}
=== Source End ===
Comments
WORK AROUND There are no workarounds.
23-04-2008
SUGGESTED FIX src/share/classes/javax/swing/Popup.java @@ -227,19 +227,16 @@ setFocusableWindowState(false); setName("###overrideRedirect###"); // Popups are typically transient and most likely won't benefit // from true double buffering. Turn it off here. getRootPane().setUseTrueDoubleBuffering(false); - java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction<Object>() { - public Object run() { + try { setAlwaysOnTop(true); - return null; + } catch (SecurityException se) { + // igonre } } - ); - } public void update(Graphics g) { paint(g); }
22-04-2008
EVALUATION OK, we can always try to do setAlwaysOnTop() and catch the exception for applets. I think, it shouldn't slow down the code noticeably.
22-04-2008
EVALUATION In general it is not easy to determine whether one is running in the context of an applet as opposed to an application.
21-04-2008
EVALUATION The changes in the Popup class added by the fix for 6580930 were intended for allowing a popup menu to overlap the Windows task bar. It is important for tray icons. However, popup menus in applets don't need to overlap the task bar. Hence, setAlwaysOnTop() in the Popup class can be called only for applications, but not for applets. The fix idea is to avoid calling setAlwaysOnTop() in the Popup class for applets, but do it for standalone applications.
21-04-2008