Projects
Mega:24.09
eclipse
_service:tar_scm:CVE-2020-27225.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2020-27225.patch of Package eclipse
From 28aac2514656c669ffa16acb996c77def3d4a8d4 Mon Sep 17 00:00:00 2001 From: Andrew Johnson Date: Tue, 16 Feb 2021 21:40:49 +0000 Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to R4_11_maintenance branch Change-Id: I09cee753dc24d55a2704b80ae13d392d233aac0d Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855 Signed-off-by: Andrew Johnson <andrew_johnson@uk.ibm.com>(cherry picked from commit 90661664f30d4e1225e4a68b179c6ee110cd7f75) Also-by: Niraj Modi <niraj.modi@in.ibm.com> --- org.eclipse.help.base/META-INF/MANIFEST.MF | 2 +- org.eclipse.help.base/pom.xml | 2 +- .../eclipse/help/internal/base/BaseHelpSystem.java | 29 ++++++++++++- .../eclipse/help/internal/base/HelpDisplay.java | 10 ++++- org.eclipse.help.webapp/META-INF/MANIFEST.MF | 2 +- org.eclipse.help.webapp/advanced/livehelp_js.jsp | 12 +++++- org.eclipse.help.webapp/index.jsp | 32 ++++++++++++--- org.eclipse.help.webapp/pom.xml | 2 +- .../help/internal/webapp/data/LayoutData.java | 7 +++- .../internal/webapp/servlet/LiveHelpServlet.java | 48 +++++++++++++++++++++- 10 files changed, 129 insertions(+), 17 deletions(-) diff --git a/org.eclipse.help.base/META-INF/MANIFEST.MF b/org.eclipse.help.base/META-INF/MANIFEST.MF index 4ad860070..398a6829a 100644 --- a/org.eclipse.help.base/META-INF/MANIFEST.MF +++ b/org.eclipse.help.base/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %help_base_plugin_name Bundle-SymbolicName: org.eclipse.help.base; singleton:=true -Bundle-Version: 4.2.500.qualifier +Bundle-Version: 4.2.501.qualifier Bundle-Activator: org.eclipse.help.internal.base.HelpBasePlugin Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/org.eclipse.help.base/pom.xml b/org.eclipse.help.base/pom.xml index b90d899f6..36f5145e9 100644 --- a/org.eclipse.help.base/pom.xml +++ b/org.eclipse.help.base/pom.xml @@ -18,7 +18,7 @@ </parent> <groupId>org.eclipse.help</groupId> <artifactId>org.eclipse.help.base</artifactId> - <version>4.2.500-SNAPSHOT</version> + <version>4.2.501-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> <properties> <defaultSigning-excludeInnerJars>true</defaultSigning-excludeInnerJars> diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java index 2ea5bf807..f9f09ae7a 100644 --- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2018 IBM Corporation and others. + * Copyright (c) 2000, 2021 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -15,6 +15,7 @@ package org.eclipse.help.internal.base; import java.net.MalformedURLException; import java.net.URL; + import org.eclipse.core.runtime.CoreException; import org.eclipse.core.runtime.IProduct; import org.eclipse.core.runtime.IStatus; @@ -59,6 +60,7 @@ public final class BaseHelpSystem { private IBrowser browser; private IBrowser internalBrowser; private HelpDisplay helpDisplay = null; + private String liveHelpToken = null; private BaseHelpSystem() { super(); @@ -350,4 +352,29 @@ public final class BaseHelpSystem { } } + /** + * Check supplied token against stored token. Clears the stored token if + * successful. + * + * @param helpSessionToken + * @return true if match successful + */ + public boolean matchOnceLiveHelpToken(String helpSessionToken) { + /* + * @FIXME - should we use a constant time comparison, and store/compare a + * cryptographic hash? + */ + if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { + // Enforce one-time use. + liveHelpToken = null; + return true; + } else { + return false; + } + } + + public void setLiveHelpToken(String helpSessionToken) { + liveHelpToken = helpSessionToken; + } + } diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java index 28ebfd10d..33a0e08fd 100644 --- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2015 IBM Corporation and others. + * Copyright (c) 2000, 2021 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.UUID; import org.eclipse.core.runtime.CoreException; import org.eclipse.core.runtime.IConfigurationElement; @@ -196,6 +198,12 @@ public class HelpDisplay { String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); } + String basehelp = getBaseURL(); + if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { + String sessid = UUID.randomUUID().toString(); + BaseHelpSystem.getInstance().setLiveHelpToken(sessid); + helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ + } BaseHelpSystem.getHelpBrowser(forceExternal) .displayURL(helpURL); diff --git a/org.eclipse.help.webapp/META-INF/MANIFEST.MF b/org.eclipse.help.webapp/META-INF/MANIFEST.MF index 0c85d674e..c943158a6 100644 --- a/org.eclipse.help.webapp/META-INF/MANIFEST.MF +++ b/org.eclipse.help.webapp/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %help_webapp_plugin_name Bundle-SymbolicName: org.eclipse.help.webapp;singleton:=true -Bundle-Version: 3.9.400.qualifier +Bundle-Version: 3.9.401.qualifier Bundle-Activator: org.eclipse.help.internal.webapp.HelpWebappPlugin Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/org.eclipse.help.webapp/advanced/livehelp_js.jsp b/org.eclipse.help.webapp/advanced/livehelp_js.jsp index 23362f89e..6d04945d6 100644 --- a/org.eclipse.help.webapp/advanced/livehelp_js.jsp +++ b/org.eclipse.help.webapp/advanced/livehelp_js.jsp @@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2018 IBM Corporation and others. + Copyright (c) 2000, 2021 IBM Corporation and others. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 @@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindow, pluginId, className, argument) url=url.substring(0, i+1); var encodedArg=encodeURIComponent(argument); url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); - + <% + Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ + // Validate token to protect against XSS + if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) { + %> + url=url+"&token=<%=token%>"; + <% + } + %> // we need to find the toolbar frame. // to do: cleanup this, including the location of the hidden livehelp frame. var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; diff --git a/org.eclipse.help.webapp/index.jsp b/org.eclipse.help.webapp/index.jsp index 34d3e14ee..76b6564c1 100644 --- a/org.eclipse.help.webapp/index.jsp +++ b/org.eclipse.help.webapp/index.jsp @@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2011 IBM Corporation and others. + Copyright (c) 2000, 2021 IBM Corporation and others. This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 @@ -12,9 +12,11 @@ IBM Corporation - initial API and implementation --%> <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> +<%@ page import="java.util.UUID" %> +<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> <% request.setCharacterEncoding("UTF-8"); - ServerState.webappStarted(application,request, response); + ServerState.webappStarted(application,request, response); // Read the scope parameter RequestScope.setScopeFromRequest(request, response); LayoutData data = new LayoutData(application,request, response); @@ -38,9 +40,27 @@ </body> </html> <% - }else if(data.isAdvancedUI()){ - request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); - }else{ - request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); + } else { + // For live help + String token = request.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$ + if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { + // Only one session can grab this + if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ + String token2 = UUID.randomUUID().toString(); + request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ + int port = request.getLocalPort(); + response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + String token3 = UUID.randomUUID().toString(); + request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ + } + } + } + + if(data.isAdvancedUI()){ + request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); + } else { // legacy UI + request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); + } } %> diff --git a/org.eclipse.help.webapp/pom.xml b/org.eclipse.help.webapp/pom.xml index 51e7cc9e7..e02982e8c 100644 --- a/org.eclipse.help.webapp/pom.xml +++ b/org.eclipse.help.webapp/pom.xml @@ -18,7 +18,7 @@ </parent> <groupId>org.eclipse.help</groupId> <artifactId>org.eclipse.help.webapp</artifactId> - <version>3.9.400-SNAPSHOT</version> + <version>3.9.401-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> <build> <plugins> diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java index d5183e1ab..49a45423b 100644 --- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2016 IBM Corporation and others. + * Copyright (c) 2000, 2021 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -46,6 +46,11 @@ public class LayoutData extends RequestData { // initialize the query string String qs = request.getQueryString(); + // Remove any live help token + if (qs != null) { + qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + } if (qs != null && qs.length() > 0) query = "?" + qs; //$NON-NLS-1$ } diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java index ded00b1c1..a2959a6a8 100644 --- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2015 IBM Corporation and others. + * Copyright (c) 2000, 2021 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -14,8 +14,8 @@ package org.eclipse.help.internal.webapp.servlet; import java.io.IOException; - import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -51,6 +51,45 @@ public class LiveHelpServlet extends HttpServlet { return; } req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ + String sessionid = req.getSession().getId(); + Cookie cookies[] = req.getCookies(); + boolean jsessOK = false; + boolean xsessOK = false; + boolean lsessOK = false; + // Unique session ID per help server + int port = req.getLocalPort(); + String xsessname = "XSESSION-" + port; //$NON-NLS-1$ + if (cookies != null) { + for (Cookie cookie : cookies) { + if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ + if (sessionid.length() >= 30 && + cookie.getValue().startsWith(sessionid)) { + jsessOK = true; + } + } + if (cookie.getName().equals(xsessname)) { + if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ + xsessOK = true; + } + } + } + } + String token = req.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ + lsessOK = true; + } + if (!jsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ + return; + } + if (!lsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ + return; + } + if (!xsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); + return; + } String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ if (pluginID == null) return; @@ -59,6 +98,11 @@ public class LiveHelpServlet extends HttpServlet { return; String arg = req.getParameter("arg"); //$NON-NLS-1$ BaseHelpSystem.runLiveHelp(pluginID, className, arg); + /* + * @FIXME Should runLiveHelp return an error if the plugin/class is wrong + * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? + */ + resp.setStatus(HttpServletResponse.SC_ACCEPTED); } /** * -- cgit v1.2.3
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2