Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 419873

Summary: Malicious file names expose inner server filesystem structure
Product: [ECD] Orion Reporter: Maciej Bendkowski <maciej.bendkowski>
Component: ClientAssignee: Mark Macdonald <mamacdon>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: mamacdon, Silenio_Quarti, simon_kaegi
Version: 4.0   
Target Milestone: 4.0 RC3   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
Malicious file name error none

Description Maciej Bendkowski CLA 2013-10-18 11:52:00 EDT 
Create a folder 'test | me' and a file/folder named '?!@#$%^&*()_+' underneath. On a windows machine you should get an error message exposing the raw server filesystem structure (see attachment). Doing the same on a Linux  will succeed, however clicking on that filer/folder will result in an 404 file not found error.
Comment 1 Maciej Bendkowski CLA 2013-10-18 11:52:55 EDT 
Created attachment 236662 [details]
Malicious file name error
Comment 2 Maciej Bendkowski CLA 2013-10-18 12:09:35 EDT 
Same happens with '|||||||||||||'.
Comment 3 Mark Macdonald CLA 2013-10-21 10:44:57 EDT 
Pushed a fix. Skaegi reviewed it.

http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=6877f5d