Bug 114902

Summary: [EditorMgmt] Security hazard with .bat/.exe/script files in Eclipse projects
Product: [Eclipse Project] Platform Reporter: Oyvind Harboe <oyvind.harboe>
Component: UIAssignee: Platform UI Triaged <platform-ui-triaged>
Status: NEW --- QA Contact:
Severity: normal    
Priority: P3 CC: Michael.Valenta
Version: 3.2   
Target Milestone: ---   
Hardware: PC   
OS: Windows 2000   
Whiteboard:

Description Oyvind Harboe CLA 2005-11-03 06:54:12 EST 
Windows, in its wisdom, will have as a defualt action for e.g. ".bat" files to
execute them.

To reproduce:

1. commit a virus/worm to a CVS repository(having a .exe or .bat or script file 
   extension). Sure, a "malicious CVS repository" is a bit contrived, but
   a machine infected by other means may cause someone to accidentally commit
   a virus. It is perfectly normal to commit .bat & .exe files to a CVS
   repository and such .exe & .bat files might become infected.

   It may be a stretch to mistrust files from a CVS server to
   the degree that one would mistrust files downloaded into a web-browser
   cache, but the risk is not vanishingly small.
2. check out a project from the CVS repository containing the virus/worm
3. At this point it is easy to accidentally execute the file, e.g:

   - Search for a term that appears in the virus/worm. Clicking next
     in the search view will execute the file.
   - Double click on a .bat file to edit it. If the system editor is
Comment 1 Michael Valenta CLA 2005-11-03 08:59:26 EST 
So, the problem is that windows will run a bat file without prompting the user 
to warn them that it may contain malicious code. In a way, this makes sense 
since windows doesn't know that the bat file came from another machine. You're 
suggesting that, because Eclipse knowns the bat file came from CVS (or any 
repository for that matter), it should warn the user before using a system 
editor on the file. Moving to UI since they handle editor opening.
Comment 2 Oyvind Harboe CLA 2005-11-03 09:20:05 EST 
(In reply to comment #1)
> So, the problem is that windows will run a bat file without prompting the user 
> to warn them that it may contain malicious code. In a way, this makes sense 
> since windows doesn't know that the bat file came from another machine. You're 
> suggesting that, because Eclipse knowns the bat file came from CVS (or any 
> repository for that matter), it should warn the user before using a system 
> editor on the file. Moving to UI since they handle editor opening.

I guess it is impossible for Eclipse to know which of the System editors that
are unsafe and therefore the system editor should never be opened "accidentally". 

E.g. clicking "Next" in the Search view should not invoke the system editor.
Comment 3 Michael Van Meekeren CLA 2006-04-21 13:19:28 EDT 
Moving Dougs bugs
Comment 4 Susan McCourt CLA 2009-07-09 19:08:21 EDT 
As per http://wiki.eclipse.org/Platform_UI/Bug_Triage_Change_2009
Comment 5 Boris Bokowski CLA 2009-11-17 13:00:13 EST 
Remy is now responsible for watching the [EditorMgmt] component area.
Comment 6 Eclipse Webmaster CLA 2019-09-06 16:07:41 EDT 
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.