Summary: | [Webapp][Security] URLEncode url requests from local users | ||||||
---|---|---|---|---|---|---|---|
Product: | [Eclipse Project] Platform | Reporter: | Rich Watts <rwatts> | ||||
Component: | User Assistance | Assignee: | platform-ua-inbox <platform-ua-inbox> | ||||
Status: | VERIFIED FIXED | QA Contact: | |||||
Severity: | critical | ||||||
Priority: | P3 | CC: | cgold, denis.roy, john.arthorne, kleind, rahulk, stephen.francisco, tcornell | ||||
Version: | 3.6 | Keywords: | security | ||||
Target Milestone: | 3.6.1 | ||||||
Hardware: | PC | ||||||
OS: | Windows XP | ||||||
Whiteboard: | |||||||
Attachments: |
|
Description
Rich Watts
2010-06-16 11:04:16 EDT
Created attachment 172044 [details]
FramesetFilter Patch with suggested urlencode
Here is a suggested patch based on the recommended remediation approach for this kind of exploit.
> Steps to Reproduce:
> This can be reproduced on machines running Firefox (any version) and Internet
> Explorer 6 & 7 (IE 8 s
IE 8 Specifically blocks client side javascript in the urls.
Patch applied to HEAD. Patch applied to 3.6 maintenance stream, fixed for Eclipse 3.6.1 The patch has also been applied to the 3.5 maintenance stream. The patch has also been applied to the 3.4 maintenance stream. Verified in M20100901-0800 This bug is currently marked as a private bug for security purposes. Since the bug is fixed, should it not be open? At the architectural council meeting last week I raised the issue of removing the security lock from bug reports which have been fixed - the conclusion was that we should keep these locked. Removing security restriction for bugs that have been fixed in 3.6.2 or earlier. |