Community
Participate
Working Groups
Created attachment 192146 [details] zip of helpProblem plug-in I have attached a plug-in which uses the org.eclipse.help.toc extension and specifies a toc provider class. The toc provider class specifies a topic which has an href that points to a local system file (note: not a plug-in file, but a file on the local system). In this case, it is /home/xxxxx/my.html. Place the accompanying my.html file in your home directory before testing. Launch a child Eclipse application with the helpProblem plug-in added. Go to Help Contents and open Help Documents and click on the one Help Topic provided. Under 3.6.0, this works and the my.html is shown. In the case of 3.6.1 and higher, an error is posted and the my.html file is not shown.
Created attachment 192147 [details] test html file to show as topic
The cause of the regression was a security fix and has nothing to do with the toc provider extension point. Up until Eclipse 3.6.1 the workbench help server would allow references which used the file: protocol, from a security perspective this was problematic. In Eclipse 3.6.1 a number of security issues were fixed which ended up severely restricting the use of the file: protocol. There is a preference in Eclipse, org.eclipse.help.base/restrictTopicParameter which allows the file: protocol to be still used, unfortunately this still does not allow your example to work. For Eclipse 3.7 I can add a fix so that org.eclipse.help.base/restrictTopicParameter will allow the file: protocol to be used. In general however I recommend that users do not use this preference as allowing the file: protocol does reduce security. Instead I would suggest that if you need to access local files that you use a content producer.
I need to correct one thing I said in my previous comment. org.eclipse.help.base/restrictTopicParameter does not have the effect of permitting use of the file: protocol.
(In reply to comment #2) > The cause of the regression was a security fix and has nothing to do with the > toc provider extension point. Up until Eclipse 3.6.1 the workbench help server > would allow references which used the file: protocol, from a security > perspective this was problematic. In Eclipse 3.6.1 a number of security issues > were fixed which ended up severely restricting the use of the file: protocol. > > There is a preference in Eclipse, org.eclipse.help.base/restrictTopicParameter > which allows the file: protocol to be still used, unfortunately this still does > not allow your example to work. > > For Eclipse 3.7 I can add a fix so that > org.eclipse.help.base/restrictTopicParameter will allow the file: protocol to > be used. In general however I recommend that users do not use this preference > as allowing the file: protocol does reduce security. Instead I would suggest > that if you need to access local files that you use a content producer. So, I would create an IHelpContentProducer for my plug-in and then code the hrefs in my dynamic toc provider to be something like MYPLUGINID/some_file_name.html at which my IHelpContentProducer would get called and open the some_file_name.html locally on the system (e.g. /usr/share/docs/some_file_name.html) and then pass back the input stream. I think that is a reasonable solution. Please correct me if I have interpreted this incorrectly.
Your description is 100% accurate. Also I need to correct one thing I wrote in my previous comment - restrictTopicParameter turns on and off an anti-phishing check and is unrelated to the use of the file: protocol. Closing this bug report.
