Bugzilla – Full Text Bug Listing
| Summary: | [Help] Security vulnerabilities in deferredView.jsp | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Eclipse Project] Platform | Reporter: | Chris Austin <ChrisAustin> | ||||||
| Component: | User Assistance | Assignee: | Platform-UI-Inbox <Platform-UI-Inbox> | ||||||
| Status: | RESOLVED FIXED | QA Contact: | |||||||
| Severity: | critical | ||||||||
| Priority: | P3 | CC: | daniel_megert, stephen.francisco, wayne.beaton, yxzhong, zhhaohh | ||||||
| Version: | 3.8 | ||||||||
| Target Milestone: | 3.4.2+ | ||||||||
| Hardware: | All | ||||||||
| OS: | All | ||||||||
| Whiteboard: | |||||||||
| Bug Depends on: | 328975, 378977, 378979 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Chris Austin
Created attachment 213402 [details] Potential fix This fix prepends the href used on the page with the base URL (http://etc/help/advanced) Created attachment 213496 [details]
Fix with updated copyright
Forgot the copyright, added to patch.
3.8: http://git.eclipse.org/c/platform/eclipse.platform.ua.git/commit/?id=854b5aa9ac1959a748bf14ce345a461a5ea223b0 3.7.2+: http://git.eclipse.org/c/platform/eclipse.platform.ua.git/commit/?id=27d3b4af37e4b391a40c2fda8c8ff7ecd0b2784e 3.6.2+ (map file updated): http://git.eclipse.org/c/platform/eclipse.platform.ua.git/commit/?id=6db006bc56f855e0dd00d376c191af61f688f3c1 3.6.2+J7 (map file updated) same fix as in 3.6.2+ 3.5.2+ and 3.4.2+ have to wait (see bug 370366 comment 18). 3.4.2+: Tagged 'org.eclipse.help.webapp' with 'r34x_20120404' and updated map file 3.5.2+: Tagged 'org.eclipse.help.webapp' with 'r35x_20120404' and updated map file Thanks Dani! I've built and verified that the fix works on the following older versions: 3.4.2+ 3.5.2+ 3.6.2+ We request that this remains classified as committer-only until at least July 1, 2012 to give affected teams time to adopt and distribute fixes as needed. After applying the patch, it didn't address the security issue in deferredview.jsp. But another problem is found: If we use the url like: "http://9.111.45.112:9999/help/advanced/deferredView.jsp?href=javascript:alert(1)". content of the advanced.jsp would be shown, and AppScan will record this as a low level violation. Please help to verify this issue. (In reply to comment #8) > After applying the patch, it didn't address the security issue in > deferredview.jsp. But another problem is found: > > If we use the url like: > "http://9.111.45.112:9999/help/advanced/deferredView.jsp?href=javascript:alert(1)". > content of the advanced.jsp would be shown, and AppScan will record this as a > low level violation. > > Please help to verify this issue. What version? I verified that the problem is fixed in 3.8 M7. Version 3.6 (In reply to comment #10) > Version 3.6 So, you applied the patch yourself to 3.6? Yes (In reply to comment #6) > I've built and verified that the fix works on the following older versions: > 3.4.2+ > 3.5.2+ > 3.6.2+ How did you do it? I tested again and it looks that the fix is OK in >=3.6.2+ However, in 3.5.2+ and 3.4.2+ it only fixes case 1 of comment 0 but not case 2. Didn't test 3.6 + patch. It looks like some additional fix from 3.6.2 and newer, is also needed. Chris, can you take a look? The reason why it works >= 3.6.2 is the fix for bug 328975. I'm marking this one as fixed again, since the backport for this bug took place. There's nothing more to do from the 'User Assistance' side. This one's been marked fixed for a while. Can we remove the "committer-only" restriction? removing the restriction seems fine - it's been over a year. (In reply to comment #17) > removing the restriction seems fine - it's been over a year. You're a bit late ;-)- ha - well I retroactively approve the removal on behalf of all of my loyal subjects |