Projects
home:zhangxiang:branches:Mega:23.03
eclipse
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 20
View file
_service:tar_scm:eclipse.spec
Changed
@@ -1,4 +1,4 @@ -%global bootstrap 0 +%global bootstrap 1 %global eb_commit c985e357223668b4bc1fb76ea6b9e0c12829b7e8 %global eclipse_rel %{version}RC2 %global eclipse_tag S-%{eclipse_rel}-201903070500 @@ -402,6 +402,7 @@ %mvn_package "org.eclipse.ui:org.eclipse.ui.{views.log,trace}" pde %mvn_package "org.eclipse.sdk{,.feature}:" sdk %mvn_package ":" __noinstall +sed -i 's/-O -g -Wall -fPIC/-O -g -Wall -fPIC -pie -Wl,-z,relro -Wl,-z,now -fstack-protector-strong/g' eclipse.platform.swt/bundles/org.eclipse.swt/Eclipse\ SWT\ PI/gtk/library/build.sh %build export CFLAGS="%{optflags}" @@ -764,6 +765,13 @@ * Wed May 30 2023 Xiang Zhang <zhangxiang@iscas.ac.cn> - 1:4.11-7 - Add riscv64 support +* Tue Feb 21 2023 liyanan <liyanan32@h-partners.com> - 1:4.11-8 +- Add security compile options pie, relro and -fstack-protector-strong +- Add glassfish-jsp and glassfish-servlet-api and glassfish-el-api version limit + +* Thu Jul 14 2022 wangkai <wangkai385@h-partners.com> - 1:4.11-7 +- Fix CVE-2020-27225 + * Tue Jun 21 2022 baizhonggui <baizhonggui@h-partners.com> - 1:4.11-6 - fixed objectweb.asm version limit
View file
_service:tar_scm:Add_riscv64_support.patch
Added
View file
_service:tar_scm:CVE-2020-27225.patch
Added
@@ -0,0 +1,354 @@ +From 28aac2514656c669ffa16acb996c77def3d4a8d4 Mon Sep 17 00:00:00 2001 +From: Andrew Johnson +Date: Tue, 16 Feb 2021 21:40:49 +0000 +Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to + R4_11_maintenance branch + +Change-Id: I09cee753dc24d55a2704b80ae13d392d233aac0d +Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855 +Signed-off-by: Andrew Johnson <andrew_johnson@uk.ibm.com>(cherry picked from commit 90661664f30d4e1225e4a68b179c6ee110cd7f75) +Also-by: Niraj Modi <niraj.modi@in.ibm.com> +--- + org.eclipse.help.base/META-INF/MANIFEST.MF | 2 +- + org.eclipse.help.base/pom.xml | 2 +- + .../eclipse/help/internal/base/BaseHelpSystem.java | 29 ++++++++++++- + .../eclipse/help/internal/base/HelpDisplay.java | 10 ++++- + org.eclipse.help.webapp/META-INF/MANIFEST.MF | 2 +- + org.eclipse.help.webapp/advanced/livehelp_js.jsp | 12 +++++- + org.eclipse.help.webapp/index.jsp | 32 ++++++++++++--- + org.eclipse.help.webapp/pom.xml | 2 +- + .../help/internal/webapp/data/LayoutData.java | 7 +++- + .../internal/webapp/servlet/LiveHelpServlet.java | 48 +++++++++++++++++++++- + 10 files changed, 129 insertions(+), 17 deletions(-) + +diff --git a/org.eclipse.help.base/META-INF/MANIFEST.MF b/org.eclipse.help.base/META-INF/MANIFEST.MF +index 4ad860070..398a6829a 100644 +--- a/org.eclipse.help.base/META-INF/MANIFEST.MF ++++ b/org.eclipse.help.base/META-INF/MANIFEST.MF +@@ -2,7 +2,7 @@ Manifest-Version: 1.0 + Bundle-ManifestVersion: 2 + Bundle-Name: %help_base_plugin_name + Bundle-SymbolicName: org.eclipse.help.base; singleton:=true +-Bundle-Version: 4.2.500.qualifier ++Bundle-Version: 4.2.501.qualifier + Bundle-Activator: org.eclipse.help.internal.base.HelpBasePlugin + Bundle-Vendor: %providerName + Bundle-Localization: plugin +diff --git a/org.eclipse.help.base/pom.xml b/org.eclipse.help.base/pom.xml +index b90d899f6..36f5145e9 100644 +--- a/org.eclipse.help.base/pom.xml ++++ b/org.eclipse.help.base/pom.xml +@@ -18,7 +18,7 @@ + </parent> + <groupId>org.eclipse.help</groupId> + <artifactId>org.eclipse.help.base</artifactId> +- <version>4.2.500-SNAPSHOT</version> ++ <version>4.2.501-SNAPSHOT</version> + <packaging>eclipse-plugin</packaging> + <properties> + <defaultSigning-excludeInnerJars>true</defaultSigning-excludeInnerJars> +diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +index 2ea5bf807..f9f09ae7a 100644 +--- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java ++++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2018 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -15,6 +15,7 @@ package org.eclipse.help.internal.base; + + import java.net.MalformedURLException; + import java.net.URL; ++ + import org.eclipse.core.runtime.CoreException; + import org.eclipse.core.runtime.IProduct; + import org.eclipse.core.runtime.IStatus; +@@ -59,6 +60,7 @@ public final class BaseHelpSystem { + private IBrowser browser; + private IBrowser internalBrowser; + private HelpDisplay helpDisplay = null; ++ private String liveHelpToken = null; + + private BaseHelpSystem() { + super(); +@@ -350,4 +352,29 @@ public final class BaseHelpSystem { + } + } + ++ /** ++ * Check supplied token against stored token. Clears the stored token if ++ * successful. ++ * ++ * @param helpSessionToken ++ * @return true if match successful ++ */ ++ public boolean matchOnceLiveHelpToken(String helpSessionToken) { ++ /* ++ * @FIXME - should we use a constant time comparison, and store/compare a ++ * cryptographic hash? ++ */ ++ if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { ++ // Enforce one-time use. ++ liveHelpToken = null; ++ return true; ++ } else { ++ return false; ++ } ++ } ++ ++ public void setLiveHelpToken(String helpSessionToken) { ++ liveHelpToken = helpSessionToken; ++ } ++ + } +diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +index 28ebfd10d..33a0e08fd 100644 +--- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java ++++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2015 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; + + import java.io.UnsupportedEncodingException; + import java.net.URLEncoder; ++import java.nio.charset.StandardCharsets; ++import java.util.UUID; + + import org.eclipse.core.runtime.CoreException; + import org.eclipse.core.runtime.IConfigurationElement; +@@ -196,6 +198,12 @@ public class HelpDisplay { + String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ + helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); + } ++ String basehelp = getBaseURL(); ++ if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { ++ String sessid = UUID.randomUUID().toString(); ++ BaseHelpSystem.getInstance().setLiveHelpToken(sessid); ++ helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ ++ } + + BaseHelpSystem.getHelpBrowser(forceExternal) + .displayURL(helpURL); +diff --git a/org.eclipse.help.webapp/META-INF/MANIFEST.MF b/org.eclipse.help.webapp/META-INF/MANIFEST.MF +index 0c85d674e..c943158a6 100644 +--- a/org.eclipse.help.webapp/META-INF/MANIFEST.MF ++++ b/org.eclipse.help.webapp/META-INF/MANIFEST.MF +@@ -2,7 +2,7 @@ Manifest-Version: 1.0 + Bundle-ManifestVersion: 2 + Bundle-Name: %help_webapp_plugin_name + Bundle-SymbolicName: org.eclipse.help.webapp;singleton:=true +-Bundle-Version: 3.9.400.qualifier ++Bundle-Version: 3.9.401.qualifier + Bundle-Activator: org.eclipse.help.internal.webapp.HelpWebappPlugin + Bundle-Vendor: %providerName + Bundle-Localization: plugin +diff --git a/org.eclipse.help.webapp/advanced/livehelp_js.jsp b/org.eclipse.help.webapp/advanced/livehelp_js.jsp +index 23362f89e..6d04945d6 100644 +--- a/org.eclipse.help.webapp/advanced/livehelp_js.jsp ++++ b/org.eclipse.help.webapp/advanced/livehelp_js.jsp +@@ -1,5 +1,5 @@ + <%-- +- Copyright (c) 2000, 2018 IBM Corporation and others. ++ Copyright (c) 2000, 2021 IBM Corporation and others. + + This program and the accompanying materials + are made available under the terms of the Eclipse Public License 2.0 +@@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindow, pluginId, className, argument) + url=url.substring(0, i+1); + var encodedArg=encodeURIComponent(argument); + url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); +- ++ <% ++ Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ ++ // Validate token to protect against XSS ++ if (token instanceof String && ((String)token).matches("a-z0-9-{36}")) {//$NON-NLS-1$) { ++ %> ++ url=url+"&token=<%=token%>"; ++ <% ++ } ++ %> + // we need to find the toolbar frame. + // to do: cleanup this, including the location of the hidden livehelp frame. + var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; +diff --git a/org.eclipse.help.webapp/index.jsp b/org.eclipse.help.webapp/index.jsp +index 34d3e14ee..76b6564c1 100644 +--- a/org.eclipse.help.webapp/index.jsp ++++ b/org.eclipse.help.webapp/index.jsp +@@ -1,5 +1,5 @@ + <%-- +- Copyright (c) 2000, 2011 IBM Corporation and others. ++ Copyright (c) 2000, 2021 IBM Corporation and others. + + This program and the accompanying materials + are made available under the terms of the Eclipse Public License 2.0 +@@ -12,9 +12,11 @@ + IBM Corporation - initial API and implementation + --%> + <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> ++<%@ page import="java.util.UUID" %> ++<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> + <% + request.setCharacterEncoding("UTF-8"); +- ServerState.webappStarted(application,request, response); ++ ServerState.webappStarted(application,request, response); + // Read the scope parameter + RequestScope.setScopeFromRequest(request, response); + LayoutData data = new LayoutData(application,request, response); +@@ -38,9 +40,27 @@ + </body> + </html> + <% +- }else if(data.isAdvancedUI()){ +- request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); +- }else{ +- request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); ++ } else { ++ // For live help ++ String token = request.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.matches("a-z0-9-{36}")) { //$NON-NLS-1$ ++ if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { ++ // Only one session can grab this ++ if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ ++ String token2 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ ++ int port = request.getLocalPort(); ++ response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ ++ String token3 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ ++ } ++ } ++ } ++ ++ if(data.isAdvancedUI()){ ++ request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); ++ } else { // legacy UI ++ request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); ++ } + } + %> +diff --git a/org.eclipse.help.webapp/pom.xml b/org.eclipse.help.webapp/pom.xml +index 51e7cc9e7..e02982e8c 100644 +--- a/org.eclipse.help.webapp/pom.xml ++++ b/org.eclipse.help.webapp/pom.xml +@@ -18,7 +18,7 @@ + </parent> + <groupId>org.eclipse.help</groupId> + <artifactId>org.eclipse.help.webapp</artifactId> +- <version>3.9.400-SNAPSHOT</version> ++ <version>3.9.401-SNAPSHOT</version> + <packaging>eclipse-plugin</packaging> + <build> + <plugins> +diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +index d5183e1ab..49a45423b 100644 +--- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java ++++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2016 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -46,6 +46,11 @@ public class LayoutData extends RequestData { + + // initialize the query string + String qs = request.getQueryString(); ++ // Remove any live help token ++ if (qs != null) { ++ qs = qs.replaceFirst("^token=a-z0-9-{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ qs = qs.replaceFirst("&token=a-z0-9-{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ } + if (qs != null && qs.length() > 0) + query = "?" + qs; //$NON-NLS-1$ + } +diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +index ded00b1c1..a2959a6a8 100644 +--- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java ++++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2015 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -14,8 +14,8 @@ + package org.eclipse.help.internal.webapp.servlet; + + import java.io.IOException; +- + import javax.servlet.ServletException; ++import javax.servlet.http.Cookie; + import javax.servlet.http.HttpServlet; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; +@@ -51,6 +51,45 @@ public class LiveHelpServlet extends HttpServlet { + return; + } + req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ ++ String sessionid = req.getSession().getId(); ++ Cookie cookies = req.getCookies(); ++ boolean jsessOK = false; ++ boolean xsessOK = false; ++ boolean lsessOK = false; ++ // Unique session ID per help server ++ int port = req.getLocalPort(); ++ String xsessname = "XSESSION-" + port; //$NON-NLS-1$ ++ if (cookies != null) { ++ for (Cookie cookie : cookies) { ++ if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ ++ if (sessionid.length() >= 30 && ++ cookie.getValue().startsWith(sessionid)) { ++ jsessOK = true; ++ } ++ } ++ if (cookie.getName().equals(xsessname)) { ++ if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ ++ xsessOK = true; ++ } ++ } ++ } ++ } ++ String token = req.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ ++ lsessOK = true; ++ } ++ if (!jsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ ++ return; ++ } ++ if (!lsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ ++ return; ++ } ++ if (!xsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); ++ return; ++ } + String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ + if (pluginID == null) + return; +@@ -59,6 +98,11 @@ public class LiveHelpServlet extends HttpServlet { + return; + String arg = req.getParameter("arg"); //$NON-NLS-1$ + BaseHelpSystem.runLiveHelp(pluginID, className, arg); ++ /* ++ * @FIXME Should runLiveHelp return an error if the plugin/class is wrong ++ * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? ++ */ ++ resp.setStatus(HttpServletResponse.SC_ACCEPTED); + } + /** + * +-- +cgit v1.2.3 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2