Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 182149 Details for
Bug 328975
[Webapp] Possible security issue with JSP code exposure.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
Updated 3.6.x patch
328975.txt (text/plain), 8.41 KB, created by
Thomas Watson
on 2010-11-01 11:14:40 EDT
(
hide
)
Description:
Updated 3.6.x patch
Filename:
MIME Type:
Creator:
Thomas Watson
Created:
2010-11-01 11:14:40 EDT
Size:
8.41 KB
patch
obsolete
>### Eclipse Workspace Patch 1.0 >#P org.eclipse.osgi >Index: core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java >=================================================================== >RCS file: /cvsroot/rt/org.eclipse.equinox/framework/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java,v >retrieving revision 1.74 >diff -u -r1.74 AbstractBundle.java >--- core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java 22 Apr 2010 14:48:28 -0000 1.74 >+++ core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java 1 Nov 2010 15:13:54 -0000 >@@ -1383,11 +1383,14 @@ > if (filePattern != null) > try { > // create a file pattern filter with 'filename' as the key >- patternFilter = FilterImpl.newInstance("(filename=" + filePattern + ")"); //$NON-NLS-1$ //$NON-NLS-2$ >+ patternFilter = FilterImpl.newInstance("(filename=" + sanitizeFilterInput(filePattern) + ")"); //$NON-NLS-1$ //$NON-NLS-2$ > // create a single hashtable to be shared during the recursive search > patternProps = new Hashtable(2); > } catch (InvalidSyntaxException e) { >- // cannot happen >+ // something unexpected happened; log error and return nothing >+ Bundle b = framework.systemBundle; >+ framework.publishFrameworkEvent(FrameworkEvent.ERROR, b, e); >+ return null; > } > // find the local entries of this bundle > findLocalEntryPaths(path, patternFilter, patternProps, recurse, pathList); >@@ -1450,6 +1453,46 @@ > }; > } > >+ private String sanitizeFilterInput(String filePattern) throws InvalidSyntaxException { >+ StringBuffer buffer = null; >+ boolean foundEscape = false; >+ for (int i = 0; i < filePattern.length(); i++) { >+ char c = filePattern.charAt(i); >+ switch (c) { >+ case '\\' : >+ // we either used the escape found or found a new escape. >+ foundEscape = foundEscape ? false : true; >+ if (buffer != null) >+ buffer.append(c); >+ break; >+ case '(' : >+ case ')' : >+ if (!foundEscape) { >+ if (buffer == null) { >+ buffer = new StringBuffer(filePattern.length() + 16); >+ buffer.append(filePattern.substring(0, i)); >+ } >+ // must escape with '\' >+ buffer.append('\\'); >+ } else { >+ foundEscape = false; // used the escape found >+ } >+ if (buffer != null) >+ buffer.append(c); >+ break; >+ default : >+ // if we found an escape it has been used >+ foundEscape = false; >+ if (buffer != null) >+ buffer.append(c); >+ break; >+ } >+ } >+ if (foundEscape) >+ throw new InvalidSyntaxException("Trailing escape characters must be escaped.", filePattern); //$NON-NLS-1$ >+ return buffer == null ? filePattern : buffer.toString(); >+ } >+ > protected void findLocalEntryPaths(String path, Filter patternFilter, Hashtable patternProps, boolean recurse, List pathList) { > Enumeration entryPaths = bundledata.getEntryPaths(path); > if (entryPaths == null) >#P org.eclipse.osgi.tests >Index: src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java >=================================================================== >RCS file: src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java >diff -N src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java 1 Jan 1970 00:00:00 -0000 >@@ -0,0 +1,86 @@ >+/******************************************************************************* >+ * Copyright (c) 2010 IBM Corporation and others. >+ * All rights reserved. This program and the accompanying materials >+ * are made available under the terms of the Eclipse Public License v1.0 >+ * which accompanies this distribution, and is available at >+ * http://www.eclipse.org/legal/epl-v10.html >+ * >+ * Contributors: >+ * IBM Corporation - initial API and implementation >+ *******************************************************************************/ >+package org.eclipse.osgi.tests.bundles; >+ >+import java.util.Enumeration; >+import junit.framework.Test; >+import junit.framework.TestSuite; >+import org.eclipse.core.tests.harness.CoreTest; >+import org.eclipse.osgi.tests.OSGiTestsActivator; >+import org.osgi.framework.*; >+ >+public class BundleResourceTests extends CoreTest { >+ private BundleInstaller installer; >+ >+ protected void setUp() throws Exception { >+ try { >+ installer = new BundleInstaller(OSGiTestsActivator.TEST_FILES_ROOT + "resourcetests/bundles", OSGiTestsActivator.getContext()); //$NON-NLS-1$ >+ } catch (InvalidSyntaxException e) { >+ fail("Failed to create bundle installer", e); //$NON-NLS-1$ >+ } >+ } >+ >+ protected void tearDown() throws Exception { >+ installer.shutdown(); >+ } >+ >+ public static Test suite() { >+ return new TestSuite(BundleResourceTests.class); >+ } >+ >+ public void testBug328795() throws BundleException { >+ Bundle bundle = installer.installBundle("test"); //$NON-NLS-1$ >+ checkEntries(bundle, "notFound\\", 0); // this results in invalid syntax exception which is logged because of trailing escape >+ checkEntries(bundle, "notFound\\\\", 0); // test escaped escape "notFound\" >+ checkEntries(bundle, "notFound(", 0); // test unescaped trailing ( >+ checkEntries(bundle, "notFound\\(", 0); // test escaped trailing ( >+ checkEntries(bundle, "notFound)", 0); // test unescaped trailing ) >+ checkEntries(bundle, "notFound\\)", 0); // test escaped trailing ) >+ checkEntries(bundle, "notFound*", 0); // test trailing unescaped * >+ checkEntries(bundle, "notFound\\*", 0); // test trailing escaped * >+ checkEntries(bundle, "paren(.txt", 1); // test unescaped ( -> should find one >+ checkEntries(bundle, "paren\\(.txt", 1); // test escaped ( -> should find one >+ checkEntries(bundle, "paren\\\\(.txt", 0); // test escaped escape before unescaped ( -> should find none; looks for paren\(.txt file >+ checkEntries(bundle, "paren).txt", 1); // test unescaped ) -> should find one >+ checkEntries(bundle, "paren\\).txt", 1); // test escaped ) -> should find one >+ checkEntries(bundle, "paren\\\\).txt", 0); // test escaped escape before unescaped ) -> should find none; looks for paren\).txt file >+ checkEntries(bundle, "paren(", 1); // test unescaped trailing ( -> should find one >+ checkEntries(bundle, "paren\\(", 1); // test escaped trailing ( -> should find one >+ checkEntries(bundle, "paren\\\\(", 0); // test escaped escape before ( -> should find none; looks for paren\( >+ checkEntries(bundle, "paren)", 1); // test unescaped trailing ( -> should find one >+ checkEntries(bundle, "paren\\)", 1); // test escaped trailing ( -> should find one >+ checkEntries(bundle, "paren\\\\)", 0); // test escaped escape before ) -> should find none; looks for paren\) >+ checkEntries(bundle, "paren*", 4); // test trailing wild cards >+ checkEntries(bundle, "paren*.txt", 2); // test middle wild cards >+ checkEntries(bundle, "paren\\*", 0); // test escaped wild card -> should find none; looks for paren* >+ checkEntries(bundle, "paren\\\\*", 0); // test escaped escape before wild card -> should find none; looks for paren\* >+ checkEntries(bundle, "p*r*n*", 4); // test multiple wild cards >+ checkEntries(bundle, "p*r*n*.txt", 2); // test multiple wild cards >+ checkEntries(bundle, "*)*", 2); >+ checkEntries(bundle, "*(*", 2); >+ checkEntries(bundle, "*\\)*", 2); >+ checkEntries(bundle, "*\\(*", 2); >+ } >+ >+ private void checkEntries(Bundle bundle, String filePattern, int expectedNumber) { >+ Enumeration entries = bundle.findEntries("folder", filePattern, false); >+ if (expectedNumber == 0) { >+ assertNull("Expected nothing here.", entries); >+ return; >+ } >+ int i = 0; >+ while (entries.hasMoreElements()) { >+ entries.nextElement(); >+ i++; >+ } >+ assertEquals("Unexpected number of entries", expectedNumber, i); >+ } >+} >Index: src/org/eclipse/osgi/tests/bundles/BundleTests.java >=================================================================== >RCS file: /cvsroot/rt/org.eclipse.equinox/framework/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java,v >retrieving revision 1.11 >diff -u -r1.11 BundleTests.java >--- src/org/eclipse/osgi/tests/bundles/BundleTests.java 2 Apr 2009 17:05:08 -0000 1.11 >+++ src/org/eclipse/osgi/tests/bundles/BundleTests.java 1 Nov 2010 15:13:55 -0000 >@@ -16,6 +16,7 @@ > public class BundleTests { > public static Test suite() { > TestSuite suite = new TestSuite(BundleTests.class.getName()); >+ suite.addTest(BundleResourceTests.suite()); > suite.addTest(BundleInstallUpdateTests.suite()); > suite.addTest(SystemBundleTests.suite()); > suite.addTest(BundleExceptionTests.suite());
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 328975
:
182144
| 182149