Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 329193

Summary: [Webapp] Possible security issue with JSP code exposure.
Product: [Eclipse Project] Equinox Reporter: Thomas Watson <tjwatson>
Component: Server-SideAssignee: equinox.server-side-inbox <equinox.server-side-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: cgold, ec, gregw, jeffmcaffer, john.arthorne, Mike_Wilson, remy.suen, simon_kaegi, tjwatson, wayne.beaton, webmaster
Version: 3.6.1Keywords: security
Target Milestone: 3.6.2Flags: tjwatson: review+
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on: 328795    
Bug Blocks: 328975, 378977, 378979, 390491    
Attachments:
Description Flags
Proposed Http Registry and JSP fix none

Description Thomas Watson CLA 2010-11-01 10:15:11 EDT 
+++ This bug was initially created as a clone of Bug #328795 +++

This is probably an upstream issue, but I will raise it here as it is reproducible in the IDE.

If a ( or \ character is appended to a URL to the help system, then the source of the JSP page is rendered instead of the page itself.

For the IDE, this is not a big issue (the code is opensource anyway), but if the issue is in the HttpServer or Jetty itself, then this is a significant security issue.

We have check jetty 6.1.23, 6.1.26 and jetty-7 out of the box, and none of them are vulnerable to this issue.   So it is something about the configuration of Jetty in eclipse IDE, the HttpService, or the JSP library used.

So I've opened this issue here in the expectation that we can work upstream to identify which component/configuration is the cause.

I will continue to evaluation jetty's handling of such requests and work out what mechanism is catching these URLs and thus work out what could be potentially be disabled in the IDE or RT.

---------------------------

See bug328795 coment19

It looks like both the following methods need to sanitize input to escape '*':

org.eclipse.equinox.http.registry.internal.DefaultRegistryHttpContext.ResourceMapping.getResource(String)

org.eclipse.equinox.jsp.jasper.JspServlet.ServletContextAdaptor.getResource(String)
Comment 1 Simon Kaegi CLA 2010-11-01 10:42:01 EDT 
Created attachment 182145 [details]
Proposed Http Registry and JSP fix
Comment 2 Simon Kaegi CLA 2010-11-01 11:29:24 EDT 
Please review Tom. Thanks.
Comment 3 Thomas Watson CLA 2010-11-01 12:15:47 EDT 
Looks good.
Comment 4 Simon Kaegi CLA 2010-11-01 14:06:38 EDT 
Released.