Summary: | [Webapp][Security] Ability to read files not in bundles | ||||||
---|---|---|---|---|---|---|---|
Product: | [Eclipse Project] Platform | Reporter: | Chris Goldthorpe <cgold> | ||||
Component: | User Assistance | Assignee: | Chris Goldthorpe <cgold> | ||||
Status: | VERIFIED FIXED | QA Contact: | |||||
Severity: | normal | ||||||
Priority: | P3 | CC: | benysh, ChrisAustin, john.arthorne, kleind, mukund, rahulk, raji, stephen.francisco, tcornell | ||||
Version: | 3.4 | Keywords: | security | ||||
Target Milestone: | 3.6.1 | Flags: | cgold:
review?
(ChrisAustin) |
||||
Hardware: | PC | ||||||
OS: | Windows XP | ||||||
Whiteboard: | |||||||
Bug Depends on: | |||||||
Bug Blocks: | 320424 | ||||||
Attachments: |
|
Description
Chris Goldthorpe
2010-07-21 15:58:57 EDT
Created attachment 174909 [details]
Patch
Patch to detect "..\" in the path. I need to verify that there are no other sequences such as ../ which cause problems.
Chris, can you review this patch? (In reply to comment #2) > Chris, can you review this patch? Yes, I have reviewed it and it seems to prevent the vulnerability. I have also tried ../, C:\file.txt, .+.\, .''.\, . .\ and these did not work either. I can't think of any other tests off the top of my head. Patch looks good to me too Chris. Thanks for the quick turnaround! Patch applied to HEAD Patch applied to 3.6 maintenance stream, fixed. I will remove the security flag in a week or two to give time to update infocenters. The patch has been applied to the 3.5 maintenance stream This patch has been applied to the 3.4 maintenance stream Verified in M20100901-0800 Removing security restriction for bugs that have been fixed in 3.6.2 or earlier. |