This post was originally published on ECN.
If you are not familiar with apache httpd’s mod_rewrite and regexps, please do not read this post.
Problem
When EMC releases new UCF fixes, aimed to provide compatibility with corresponding JRE security fixes, they completely miss the fact, that customers are unable to perform JRE updates for all business users at the same time, and, so, IT personal should choose the lesser of two evils: either some users should suffer or all users should stay with vulnerable JRE, moreover, sometimes I can’t understand what EMC is doing (see also: Dumb UCF applet, Dumb UCF applet. Part II, UCF applet’s certificate expired… ORLY?)
Solution
At first we need to understand what files EMC changes from one point fix to another (it’s very simple for me because I download every new pointfix to check that EMC still not fixed 30 security issues ). Typically they change wdk/system/ucfinit.jar and wdk/fileselector/fileSelector.jar files, but ucfinit.jar contains checksums for some files in wdk/contentXfer directory, so, ucfinit.jar file in general is not interchangeable between point fixes. Major changes in webtop 6.7SP2 was (actually I double checked 1.7_45 and 1.7_25 versions I can certainly say that patch notes lie: for both versions it’s required to relax security settings to get working UCF):
- P11 – JRE1.7_51 support
- P07 – JRE1.7_45 support
- P05 – JRE1.7_25 support
- P02 – JRE1.7_21 support
that means that following filesets are consistent:
- wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P11 for JRE1.7_51
- wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P10 for JRE1.7_45
- wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P06 for JRE1.7_25
- wdk/system/ucfinit.jar, wdk/fileselector/fileSelector.jar, wdk/contentXfer from P04 for JRE1.7_21
for filesets 2-4 I created following structure inside wdk directory:
JRE17_21 ├── contentXfer │ ├── All-MB.jar │ ├── ES1_MRE.exe │ ├── ExJNIAPI.dll │ ├── ExJNIAPIGateway.jar │ ├── jacob.dll │ ├── jacob.jar │ ├── libMacOSXForkerIO.jnilib │ ├── MacOSXForker.jar │ ├── mac_utilities.jar │ ├── ucf-ca-office-auto.jar │ ├── ucf-client-installer.zip │ └── UCFWin32JNI.dll ├── fileselector │ └── fileSelector.jar └── system └── ucfinit.jar JRE17_25 ├── contentXfer │ ├── All-MB.jar │ ├── ES1_MRE.exe │ ├── ExJNIAPI.dll │ ├── ExJNIAPIGateway.jar │ ├── jacob.dll │ ├── jacob.jar │ ├── libMacOSXForkerIO.jnilib │ ├── MacOSXForker.jar │ ├── mac_utilities.jar │ ├── ucf-ca-office-auto.jar │ ├── ucf-client-installer.zip │ └── UCFWin32JNI.dll ├── fileselector │ └── fileSelector.jar └── system └── ucfinit.jar JRE17_45 ├── contentXfer │ ├── All-MB.jar │ ├── ES1_MRE.exe │ ├── ExJNIAPI.dll │ ├── ExJNIAPIGateway.jar │ ├── jacob.dll │ ├── jacob.jar │ ├── libMacOSXForkerIO.jnilib │ ├── MacOSXForker.jar │ ├── mac_utilities.jar │ ├── ucf-ca-office-auto.jar │ ├── ucf-client-installer.zip │ └── UCFWin32JNI.dll ├── fileselector │ └── fileSelector.jar └── system └── ucfinit.jar
then I put urlrewritefilter-4.0.3.jar (http://tuckey.org/urlrewrite/) into WEB-INF/lib directory and added following lines to web.xml:
<filter> <filter-name>UrlRewriteFilter</filter-name> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class> <init-param> <param-name>modRewriteConf</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
and finally put following .htaccess file into WEB-INF directory:
RewriteCond %{HTTP_USER_AGENT} Java/1\.7\.0_21 RewriteRule ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$ /wdk/JRE17_21/$2 [PT,L] RewriteCond %{HTTP_USER_AGENT} Java/1\.7\.0_25 RewriteRule ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$ /wdk/JRE17_25/$2 [PT,L] RewriteCond %{HTTP_USER_AGENT} Java/1\.7\.0_45 RewriteRule ^/(_[^/]/[^/]*?-[^/]*?/)?wdk/(system/ucfinit\.jar|fileselector/fileSelector\.jar|contentXfer/(All-MB\.jar|ES1_MRE\.exe|ExJNIAPI\.dll|ExJNIAPIGateway\.jar|jacob\.dll|jacob\.jar|libMacOSXForkerIO\.jnilib|libUCFLinuxGNOME\.so|libUCFLinuxJNI\.so|libUCFLinuxKDE\.so|libUCFSolarisGNOME\.so|libUCFSolarisJNI\.so|MacOSXForker\.jar|mac_utilities\.jar|ucf-ca-office-auto\.jar|ucf-client-installer\.zip|UCFWin32JNI\.dll))$ /wdk/JRE17_45/$2 [PT,L]
And now I have webtop build that is compatible with four JRE security baselines, what about yours?!