Attachment #102517 for bug #233466

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Lines 1-5 Link Here

(-)src/org/eclipse/help/internal/webapp/data/LayoutData.java (-2 / +5 lines)
1	/*******************************************************************************	1	/*******************************************************************************
2	* Copyright (c) 2000, 2007 IBM Corporation and others.	2	* Copyright (c) 2000, 2008 IBM Corporation and others.
3	* All rights reserved. This program and the accompanying materials	3	* All rights reserved. This program and the accompanying materials
4	* are made available under the terms of the Eclipse Public License v1.0	4	* are made available under the terms of the Eclipse Public License v1.0
5	* which accompanies this distribution, and is available at	5	* which accompanies this distribution, and is available at
Lines 70-76 Link Here
70	else {	70	else {
71	TocData tocData = new TocData(context, request, response);	71	TocData tocData = new TocData(context, request, response);
72	String topic = tocData.getSelectedTopic();	72	String topic = tocData.getSelectedTopic();
73	return topic != null ? topic : UrlUtil.getHelpURL(preferences.getHelpHome());	73	if (topic == null \|\| !UrlUtil.isValidTopicURL(topic)) {
		74	return UrlUtil.getHelpURL(preferences.getHelpHome());
		75	}
		76	return topic;
74	}	77	}
75	}	78	}
76		79




	}
	
	/**
	 * Tests to see if this path is permitted in the topic parameter passed in a help URL
	 * @param path the path passed as a ?topic parameter. May not be null.
	 * @return true unless topic parameters are restricted and the path has a protocol specified
	 */
	public static boolean isValidTopicURL(String path) {
		if (BaseHelpSystem.getMode() == BaseHelpSystem.MODE_INFOCENTER 
				&& new WebappPreferences().isRestrictTopicParameter()) {
		    if (path.indexOf("://") >= 0) {  //$NON-NLS-1$
			    return false;
		    }
		}
		return true;
	}
	
	/**
	 * Returns a path to the given topic in the form of child indexes. For
	 * example, if the path points to the 3rd subtopic under the 2nd topic of
	 * the 4th toc, it will return { 3, 1, 2 }.

Lines 1-5 Link Here

(-)src/org/eclipse/help/internal/webapp/data/WebappPreferences.java (-1 / +5 lines)
1	/*******************************************************************************	1	/*******************************************************************************
2	* Copyright (c) 2000, 2007 IBM Corporation and others.	2	* Copyright (c) 2000, 2008 IBM Corporation and others.
3	* All rights reserved. This program and the accompanying materials	3	* All rights reserved. This program and the accompanying materials
4	* are made available under the terms of the Eclipse Public License v1.0	4	* are made available under the terms of the Eclipse Public License v1.0
5	* which accompanies this distribution, and is available at	5	* which accompanies this distribution, and is available at
Lines 128-131 Link Here
128	prefs.setValue("default_highlight", highlight); //$NON-NLS-1$	128	prefs.setValue("default_highlight", highlight); //$NON-NLS-1$
129	}	129	}
130		130
		131	public boolean isRestrictTopicParameter() {
		132	return prefs.getBoolean("restrictTopicParameter"); //$NON-NLS-1$
		133	}
		134
131	}	135	}

Lines 171-174 Link Here

(-)preferences.ini (-1 / +8 lines)
171	indexButton=true	171	indexButton=true
172	indexPlusMinus=true	172	indexPlusMinus=true
173	indexExpandAll=false	173	indexExpandAll=false
174	highlight-on=true	174	highlight-on=true
		175
		176	#########################
		177	# Infocenter Security
		178	#########################
		179	# Increases security by preventing urls referencing external sites from being passed
		180	# in as the topic parameter.
		181	restrictTopicParameter=true

Lines 30-35 Link Here

(-)help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java (+1 lines)
30	suite.addTestSuite(FilterTest.class);	30	suite.addTestSuite(FilterTest.class);
31	suite.addTestSuite(UrlUtilsTests.class);	31	suite.addTestSuite(UrlUtilsTests.class);
32	suite.addTestSuite(LocaleTest.class);	32	suite.addTestSuite(LocaleTest.class);
		33	suite.addTestSuite(RestrictedTopicParameter.class);
33	//$JUnit-END$	34	//$JUnit-END$
34	return suite;	35	return suite;
35	}	36	}




/*******************************************************************************
 * Copyright (c) 2008 IBM Corporation and others.
 * All rights reserved. This program and the accompanying materials
 * are made available under the terms of the Eclipse Public License v1.0
 * which accompanies this distribution, and is available at
 * http://www.eclipse.org/legal/epl-v10.html
 *
 * Contributors:
 *     IBM Corporation - initial API and implementation
 *******************************************************************************/

package org.eclipse.ua.tests.help.webapp;

import org.eclipse.help.internal.base.BaseHelpSystem;
import org.eclipse.help.internal.base.HelpBasePlugin;
import org.eclipse.help.internal.webapp.data.UrlUtil;

import junit.framework.TestCase;

/**
 * Test for function which determines whether a topic path can be passed to the content frame
 */

public class RestrictedTopicParameter extends TestCase {
	
	private static final String RESTRICT_TOPIC = "restrictTopicParameter";
	private boolean restrictTopic;
	private int helpMode;
	
	protected void setUp() throws Exception {
		restrictTopic = HelpBasePlugin.getDefault().getPluginPreferences().getBoolean(RESTRICT_TOPIC);
		helpMode = BaseHelpSystem.getMode();
	}
	
	protected void tearDown() throws Exception {
		setRestrictTopic(restrictTopic);
		BaseHelpSystem.setMode(helpMode);
	}

	private void setRestrictTopic(boolean isRestrict) {
		HelpBasePlugin.getDefault().getPluginPreferences().setValue(RESTRICT_TOPIC, isRestrict);
	}

	public void testWorkbenchMode() {
		BaseHelpSystem.setMode(BaseHelpSystem.MODE_WORKBENCH);
		setRestrictTopic(true);
		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
		setRestrictTopic(false);
		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
	}
	
	public void testStandaloneMode() {
		BaseHelpSystem.setMode(BaseHelpSystem.MODE_STANDALONE);
		setRestrictTopic(true);
		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
		setRestrictTopic(false);
		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
	}

	public void testInfocenterUnrestricted() {
		BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
		setRestrictTopic(false);
		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
		assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
	}
	
	public void testInfocenterResestricted() {
		BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
		setRestrictTopic(true);
		assertFalse(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
		assertFalse(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
		assertFalse(UrlUtil.isValidTopicURL("HTTP://www.eclipse.org"));
		assertFalse(UrlUtil.isValidTopicURL("file://somepath.html"));
		assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
	}
	
}

Return to bug 233466

Lines 142-147 Link Here

(-)src/org/eclipse/help/internal/webapp/data/UrlUtil.java (+15 lines)
142	}	142	}
143		143
144	/**	144	/**
		145	* Tests to see if this path is permitted in the topic parameter passed in a help URL
		146	* @param path the path passed as a ?topic parameter. May not be null.
		147	* @return true unless topic parameters are restricted and the path has a protocol specified
		148	*/
		149	public static boolean isValidTopicURL(String path) {
		150	if (BaseHelpSystem.getMode() == BaseHelpSystem.MODE_INFOCENTER
		151	&& new WebappPreferences().isRestrictTopicParameter()) {
		152	if (path.indexOf("://") >= 0) { //$NON-NLS-1$
		153	return false;
		154	}
		155	}
		156	return true;
		157	}
		158
		159	/**
145	* Returns a path to the given topic in the form of child indexes. For	160	* Returns a path to the given topic in the form of child indexes. For
146	* example, if the path points to the 3rd subtopic under the 2nd topic of	161	* example, if the path points to the 3rd subtopic under the 2nd topic of
147	* the 4th toc, it will return { 3, 1, 2 }.	162	* the 4th toc, it will return { 3, 1, 2 }.

Added Link Here

(-)help/org/eclipse/ua/tests/help/webapp/RestrictedTopicParameter.java (+82 lines)
1	/*******************************************************************************
2	* Copyright (c) 2008 IBM Corporation and others.
3	* All rights reserved. This program and the accompanying materials
4	* are made available under the terms of the Eclipse Public License v1.0
5	* which accompanies this distribution, and is available at
6	* http://www.eclipse.org/legal/epl-v10.html
7	*
8	* Contributors:
9	* IBM Corporation - initial API and implementation
10	*******************************************************************************/
11
12	package org.eclipse.ua.tests.help.webapp;
13
14	import org.eclipse.help.internal.base.BaseHelpSystem;
15	import org.eclipse.help.internal.base.HelpBasePlugin;
16	import org.eclipse.help.internal.webapp.data.UrlUtil;
17
18	import junit.framework.TestCase;
19
20	/**
21	* Test for function which determines whether a topic path can be passed to the content frame
22	*/
23
24	public class RestrictedTopicParameter extends TestCase {
25
26	private static final String RESTRICT_TOPIC = "restrictTopicParameter";
27	private boolean restrictTopic;
28	private int helpMode;
29
30	protected void setUp() throws Exception {
31	restrictTopic = HelpBasePlugin.getDefault().getPluginPreferences().getBoolean(RESTRICT_TOPIC);
32	helpMode = BaseHelpSystem.getMode();
33	}
34
35	protected void tearDown() throws Exception {
36	setRestrictTopic(restrictTopic);
37	BaseHelpSystem.setMode(helpMode);
38	}
39
40	private void setRestrictTopic(boolean isRestrict) {
41	HelpBasePlugin.getDefault().getPluginPreferences().setValue(RESTRICT_TOPIC, isRestrict);
42	}
43
44	public void testWorkbenchMode() {
45	BaseHelpSystem.setMode(BaseHelpSystem.MODE_WORKBENCH);
46	setRestrictTopic(true);
47	assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
48	assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
49	setRestrictTopic(false);
50	assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
51	assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
52	}
53
54	public void testStandaloneMode() {
55	BaseHelpSystem.setMode(BaseHelpSystem.MODE_STANDALONE);
56	setRestrictTopic(true);
57	assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
58	assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
59	setRestrictTopic(false);
60	assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
61	assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
62	}
63
64	public void testInfocenterUnrestricted() {
65	BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
66	setRestrictTopic(false);
67	assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
68	assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
69	assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
70	}
71
72	public void testInfocenterResestricted() {
73	BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
74	setRestrictTopic(true);
75	assertFalse(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
76	assertFalse(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
77	assertFalse(UrlUtil.isValidTopicURL("HTTP://www.eclipse.org"));
78	assertFalse(UrlUtil.isValidTopicURL("file://somepath.html"));
79	assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
80	}
81
82	}