Attachment 102517 Details for Bug 233466 – Patch version 2

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

[patch] Patch version 2

patch233466A.txt (text/plain), 8.94 KB, created by Chris Goldthorpe

on 2008-05-28 16:54:15 EDT

(hide)

Description:

Filename:

MIME Type:

Creator: Chris Goldthorpe

Created: 2008-05-28 16:54:15 EDT

Size: 8.94 KB

patch

obsolete

>### Eclipse Workspace Patch 1.0
>#P org.eclipse.help.webapp
>Index: src/org/eclipse/help/internal/webapp/data/LayoutData.java
>===================================================================
>RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java,v
>retrieving revision 1.4
>diff -u -r1.4 LayoutData.java
>--- src/org/eclipse/help/internal/webapp/data/LayoutData.java	7 Mar 2008 01:06:11 -0000	1.4
>+++ src/org/eclipse/help/internal/webapp/data/LayoutData.java	28 May 2008 20:46:29 -0000
>@@ -1,5 +1,5 @@
> /*******************************************************************************
>- * Copyright (c) 2000, 2007 IBM Corporation and others.
>+ * Copyright (c) 2000, 2008 IBM Corporation and others.
>  * All rights reserved. This program and the accompanying materials
>  * are made available under the terms of the Eclipse Public License v1.0
>  * which accompanies this distribution, and is available at
>@@ -70,7 +70,10 @@
> 		else {
> 			TocData tocData = new TocData(context, request, response);
> 			String topic = tocData.getSelectedTopic();
>-			return topic != null ? topic : UrlUtil.getHelpURL(preferences.getHelpHome());
>+			if (topic == null || !UrlUtil.isValidTopicURL(topic)) {
>+				return UrlUtil.getHelpURL(preferences.getHelpHome());
>+			}
>+			return  topic;
> 		}
> 	}
> 
>Index: src/org/eclipse/help/internal/webapp/data/UrlUtil.java
>===================================================================
>RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java,v
>retrieving revision 1.8
>diff -u -r1.8 UrlUtil.java
>--- src/org/eclipse/help/internal/webapp/data/UrlUtil.java	21 May 2008 21:34:33 -0000	1.8
>+++ src/org/eclipse/help/internal/webapp/data/UrlUtil.java	28 May 2008 20:46:29 -0000
>@@ -142,6 +142,21 @@
> 	}
> 	
> 	/**
>+	 * Tests to see if this path is permitted in the topic parameter passed in a help URL
>+	 * @param path the path passed as a ?topic parameter. May not be null.
>+	 * @return true unless topic parameters are restricted and the path has a protocol specified
>+	 */
>+	public static boolean isValidTopicURL(String path) {
>+		if (BaseHelpSystem.getMode() == BaseHelpSystem.MODE_INFOCENTER 
>+				&& new WebappPreferences().isRestrictTopicParameter()) {
>+		    if (path.indexOf("://") >= 0) {  //$NON-NLS-1$
>+			    return false;
>+		    }
>+		}
>+		return true;
>+	}
>+	
>+	/**
> 	 * Returns a path to the given topic in the form of child indexes. For
> 	 * example, if the path points to the 3rd subtopic under the 2nd topic of
> 	 * the 4th toc, it will return { 3, 1, 2 }.
>Index: src/org/eclipse/help/internal/webapp/data/WebappPreferences.java
>===================================================================
>RCS file: /cvsroot/eclipse/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/WebappPreferences.java,v
>retrieving revision 1.6
>diff -u -r1.6 WebappPreferences.java
>--- src/org/eclipse/help/internal/webapp/data/WebappPreferences.java	19 Nov 2007 22:34:46 -0000	1.6
>+++ src/org/eclipse/help/internal/webapp/data/WebappPreferences.java	28 May 2008 20:46:29 -0000
>@@ -1,5 +1,5 @@
> /*******************************************************************************
>- * Copyright (c) 2000, 2007 IBM Corporation and others.
>+ * Copyright (c) 2000, 2008 IBM Corporation and others.
>  * All rights reserved. This program and the accompanying materials
>  * are made available under the terms of the Eclipse Public License v1.0
>  * which accompanies this distribution, and is available at
>@@ -128,4 +128,8 @@
> 		prefs.setValue("default_highlight", highlight); //$NON-NLS-1$
> 	}
> 	
>+	public boolean isRestrictTopicParameter() {
>+		return prefs.getBoolean("restrictTopicParameter"); //$NON-NLS-1$
>+	}
>+	
> }
>#P org.eclipse.help.base
>Index: preferences.ini
>===================================================================
>RCS file: /cvsroot/eclipse/org.eclipse.help.base/preferences.ini,v
>retrieving revision 1.34
>diff -u -r1.34 preferences.ini
>--- preferences.ini	28 Apr 2008 21:07:54 -0000	1.34
>+++ preferences.ini	28 May 2008 20:46:30 -0000
>@@ -171,4 +171,11 @@
> indexButton=true
> indexPlusMinus=true
> indexExpandAll=false
>-highlight-on=true
>\ No newline at end of file
>+highlight-on=true
>+
>+#########################
>+# Infocenter Security
>+#########################
>+# Increases security  by preventing urls referencing external sites from being passed
>+# in as the topic parameter. 
>+restrictTopicParameter=true
>\ No newline at end of file
>#P org.eclipse.ua.tests
>Index: help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java
>===================================================================
>RCS file: /cvsroot/eclipse/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java,v
>retrieving revision 1.5
>diff -u -r1.5 AllWebappTests.java
>--- help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java	24 Mar 2008 21:42:05 -0000	1.5
>+++ help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java	28 May 2008 20:46:31 -0000
>@@ -30,6 +30,7 @@
> 		suite.addTestSuite(FilterTest.class);
> 		suite.addTestSuite(UrlUtilsTests.class);
> 		suite.addTestSuite(LocaleTest.class);
>+		suite.addTestSuite(RestrictedTopicParameter.class);
> 		//$JUnit-END$
> 		return suite;
> 	}
>Index: help/org/eclipse/ua/tests/help/webapp/RestrictedTopicParameter.java
>===================================================================
>RCS file: help/org/eclipse/ua/tests/help/webapp/RestrictedTopicParameter.java
>diff -N help/org/eclipse/ua/tests/help/webapp/RestrictedTopicParameter.java
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ help/org/eclipse/ua/tests/help/webapp/RestrictedTopicParameter.java	1 Jan 1970 00:00:00 -0000
>@@ -0,0 +1,82 @@
>+/*******************************************************************************
>+ * Copyright (c) 2008 IBM Corporation and others.
>+ * All rights reserved. This program and the accompanying materials
>+ * are made available under the terms of the Eclipse Public License v1.0
>+ * which accompanies this distribution, and is available at
>+ * http://www.eclipse.org/legal/epl-v10.html
>+ *
>+ * Contributors:
>+ *     IBM Corporation - initial API and implementation
>+ *******************************************************************************/
>+
>+package org.eclipse.ua.tests.help.webapp;
>+
>+import org.eclipse.help.internal.base.BaseHelpSystem;
>+import org.eclipse.help.internal.base.HelpBasePlugin;
>+import org.eclipse.help.internal.webapp.data.UrlUtil;
>+
>+import junit.framework.TestCase;
>+
>+/**
>+ * Test for function which determines whether a topic path can be passed to the content frame
>+ */
>+
>+public class RestrictedTopicParameter extends TestCase {
>+	
>+	private static final String RESTRICT_TOPIC = "restrictTopicParameter";
>+	private boolean restrictTopic;
>+	private int helpMode;
>+	
>+	protected void setUp() throws Exception {
>+		restrictTopic = HelpBasePlugin.getDefault().getPluginPreferences().getBoolean(RESTRICT_TOPIC);
>+		helpMode = BaseHelpSystem.getMode();
>+	}
>+	
>+	protected void tearDown() throws Exception {
>+		setRestrictTopic(restrictTopic);
>+		BaseHelpSystem.setMode(helpMode);
>+	}
>+
>+	private void setRestrictTopic(boolean isRestrict) {
>+		HelpBasePlugin.getDefault().getPluginPreferences().setValue(RESTRICT_TOPIC, isRestrict);
>+	}
>+
>+	public void testWorkbenchMode() {
>+		BaseHelpSystem.setMode(BaseHelpSystem.MODE_WORKBENCH);
>+		setRestrictTopic(true);
>+		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+		setRestrictTopic(false);
>+		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+	}
>+	
>+	public void testStandaloneMode() {
>+		BaseHelpSystem.setMode(BaseHelpSystem.MODE_STANDALONE);
>+		setRestrictTopic(true);
>+		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+		setRestrictTopic(false);
>+		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+	}
>+
>+	public void testInfocenterUnrestricted() {
>+		BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
>+		setRestrictTopic(false);
>+		assertTrue(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+		assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
>+	}
>+	
>+	public void testInfocenterResestricted() {
>+		BaseHelpSystem.setMode(BaseHelpSystem.MODE_INFOCENTER);
>+		setRestrictTopic(true);
>+		assertFalse(UrlUtil.isValidTopicURL("http://www.eclipse.org"));
>+		assertFalse(UrlUtil.isValidTopicURL("https://www.eclipse.org"));
>+		assertFalse(UrlUtil.isValidTopicURL("HTTP://www.eclipse.org"));
>+		assertFalse(UrlUtil.isValidTopicURL("file://somepath.html"));
>+		assertTrue(UrlUtil.isValidTopicURL("org.eclipse.platform.doc.user/reference/ref-43.htm"));
>+	}
>+	
>+}

Actions: View | Diff

Attachments on bug 233466: 102421 | 102517