Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 328975

Summary:

[Webapp] Possible security issue with JSP code exposure.

Product:

[Eclipse Project] Equinox

Reporter:

Thomas Watson <tjwatson>

Component:

Framework

Assignee:

Thomas Watson <tjwatson>

Status:

RESOLVED FIXED

QA Contact:

Severity:

major

Priority:

CC:

cgold, daniel_megert, gregw, jeffmcaffer, john.arthorne, Mike_Wilson, remy.suen, simon_kaegi, stephen.francisco, tjwatson, wayne.beaton, webmaster

Version:

3.6.1

Keywords:

security

Target Milestone:

3.6.2

Flags:

simon_kaegi: review+

Hardware:

OS:

Linux

Whiteboard:

Bug Depends on:

328795, 329193

Bug Blocks:

375751, 378977, 378979

Attachments:

Description	Flags
3.6.x patch	none
Updated 3.6.x patch	none

Description Thomas Watson

2010-10-28 16:21:41 EDT

+++ This bug was initially created as a clone of Bug #328795 +++

This is probably an upstream issue, but I will raise it here as it is reproducible in the IDE.

If a ( or \ character is appended to a URL to the help system, then the source of the JSP page is rendered instead of the page itself.

For the IDE, this is not a big issue (the code is opensource anyway), but if the issue is in the HttpServer or Jetty itself, then this is a significant security issue.

We have check jetty 6.1.23, 6.1.26 and jetty-7 out of the box, and none of them are vulnerable to this issue.   So it is something about the configuration of Jetty in eclipse IDE, the HttpService, or the JSP library used.

So I've opened this issue here in the expectation that we can work upstream to identify which component/configuration is the cause.

I will continue to evaluation jetty's handling of such requests and work out what mechanism is catching these URLs and thus work out what could be potentially be disabled in the IDE or RT.

Comment 1 Thomas Watson

2010-11-01 10:41:40 EDT

Created attachment 182144 [details]
3.6.x patch

Comment 2 Thomas Watson

2010-11-01 10:42:05 EDT

Simon please review for 3.6.2.

Comment 3 Thomas Watson

2010-11-01 11:14:40 EDT

Created attachment 182149 [details]
Updated 3.6.x patch

Optimized patch.

Comment 4 Simon Kaegi

2010-11-01 12:40:55 EDT

Looks good.

Comment 5 Thomas Watson

2010-11-01 13:52:04 EDT

Patch released.

Comment 6 Wayne Beaton

2010-11-01 14:24:22 EDT

Does this fix warrant a respin of any existing downloads?

At what point do we remove the visibility restrictions?

Comment 7 Thomas Watson

2010-11-01 16:36:44 EDT

(In reply to comment #6)
> Does this fix warrant a respin of any existing downloads?

Not in my opinion.  The EPPs and eclipse builds this is not a big issue because all the source we include in EPPs and eclipse builds is open source and publicly available anyway.

> 
> At what point do we remove the visibility restrictions?

You should bring this up to the planning council.  IMO we should not remove security restrictions until there is a publicly available fix that can be installed using the release train repos.

Comment 8 Remy Suen

2011-02-25 12:49:51 EST

(In reply to comment #7)
> > At what point do we remove the visibility restrictions?
> 
> You should bring this up to the planning council.  IMO we should not remove
> security restrictions until there is a publicly available fix that can be
> installed using the release train repos.

Did anything come out of this at the PC? Helios SR2 has gone GA.

Comment 9 Mike Wilson

2011-02-25 13:16:07 EST

(In reply to comment #8)
> (In reply to comment #7)
> > > At what point do we remove the visibility restrictions?
> > 
> > You should bring this up to the planning council.  IMO we should not remove
> > security restrictions until there is a publicly available fix that can be
> > installed using the release train repos.
> 
> Did anything come out of this at the PC? Helios SR2 has gone GA.

Maybe John can answer that. 

My _personal_ feeling is that these should just stay restricted to the committer list.

Comment 10 John Arthorne

2011-02-25 13:18:14 EST

(In reply to comment #8)
> Did anything come out of this at the PC? Helios SR2 has gone GA.

The subject has been raised in the architecture council but not yet resolved. See bug 337006.

Comment 11 Wayne Beaton

2011-02-25 13:23:05 EST

(In reply to comment #7)
> You should bring this up to the planning council.  IMO we should not remove
> security restrictions until there is a publicly available fix that can be
> installed using the release train repos.

Sorry... I should have made this connection earlier.

I don't think it's up to the planning council. Really, it's up to you (the project) to decide how to handle these sorts of things. I suppose that you can make the decision in consultation with the PC if you (the project) determine that that is the best course of action.

FWIW, it's not my intent to add a burden to the project. It is my experience, however, that any attempt to put project-directed decision making power into the PC, or the EMO will fail.

I have posed some questions about disclosure on Bug 337006. My intent is to provide a handful of best practices (I've never liked that term) that projects can use for deciding how to disclose the vulnerability and fix. Your input on that bug would be appreciated.

Personally, I believe that progressive disclosure is the best course of action. Are there any specific concerned parties (e.g. known adopters) who should be added to the bug to give them a heads up before we go public?

Is this bug significant enough to warrant some kind of bulletin from the EF? Or is it just a bug that we can quietly make public and go about our business?

Comment 12 Wayne Beaton

2011-02-25 13:24:43 EST

(In reply to comment #9)
> My _personal_ feeling is that these should just stay restricted to the
> committer list.

I disagree. We can't just sit on this forever.

Organizations who are affected by this vulnerability need to be given reasonable opportunity to mitigate their risk.

Comment 13 Wayne Beaton

2011-05-25 15:06:10 EDT

Is it time to go public with this vulnerability and corresponding patch?

Comment 14 Steve Francisco

2013-12-20 11:14:12 EST

I think the security keyword can be removed now as Wayne recommended 2.5 yrs ago :)

Comment 15 Steve Francisco

2013-12-20 11:16:49 EST

sorry - never mind. already cleared the security group.  I mistakenly thought the keyword was blocking non-committer views.