Bug 317055

Summary: [Webapp][Security] URLEncode url requests from local users
Product: [Eclipse Project] Platform Reporter: Rich Watts <rwatts>
Component: User AssistanceAssignee: platform-ua-inbox <platform-ua-inbox>
Status: VERIFIED FIXED QA Contact:
Severity: critical    
Priority: P3 CC: cgold, denis.roy, john.arthorne, kleind, rahulk, stephen.francisco, tcornell
Version: 3.6Keywords: security
Target Milestone: 3.6.1   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Attachments:
Description Flags
FramesetFilter Patch with suggested urlencode cgold: iplog+

Description Rich Watts CLA 2010-06-16 11:04:16 EDT 
Build Identifier: 3.6 RC 4

In the FramesetFilter.java servlet, there are places where invalid urls can be passed to server. This issue allows cross site scripting to occur under the credentials of the application and not the user.

line 68
script.append(req.getPathInfo());

Example of exploit:

http://127.0.0.1:1084/help/topic/"+alert(document.cookie)+".html

The suggested fix is to url encode the url before appending it.

See Patch

Reproducible: Always

Steps to Reproduce:
This can be reproduced on machines running Firefox (any version) and Internet Explorer 6 & 7 (IE 8 s
Comment 1 Rich Watts CLA 2010-06-16 11:09:43 EDT 
Created attachment 172044 [details]
FramesetFilter Patch with suggested urlencode

Here is a suggested patch based on the recommended remediation approach for this kind of exploit.
Comment 2 Rich Watts CLA 2010-06-16 11:11:30 EDT 
> Steps to Reproduce:
> This can be reproduced on machines running Firefox (any version) and Internet
> Explorer 6 & 7 (IE 8 s

IE 8 Specifically blocks client side javascript in the urls.
Comment 3 Chris Goldthorpe CLA 2010-07-15 16:30:28 EDT 
Patch applied to HEAD.
Comment 4 Chris Goldthorpe CLA 2010-07-15 16:38:02 EDT 
Patch applied to 3.6 maintenance stream, fixed for Eclipse 3.6.1
Comment 5 Chris Goldthorpe CLA 2010-08-18 19:05:22 EDT 
The patch has also been applied to the 3.5 maintenance stream.
Comment 6 Chris Goldthorpe CLA 2010-08-19 00:37:24 EDT 
The patch has also been applied to the 3.4 maintenance stream.
Comment 7 Chris Goldthorpe CLA 2010-09-01 17:23:32 EDT 
Verified in M20100901-0800
Comment 8 Denis Roy CLA 2011-02-09 13:34:57 EST 
This bug is currently marked as a private bug for security purposes.  Since the bug is fixed, should it not be open?
Comment 9 Chris Goldthorpe CLA 2011-02-21 16:55:06 EST 
At the architectural council meeting last week I raised the issue of removing the security lock from bug reports which have been fixed - the conclusion was that we should keep these locked.
Comment 10 John Arthorne CLA 2011-06-10 14:22:01 EDT 
Removing security restriction for bugs that have been fixed in 3.6.2 or earlier.