Bug 320548

Summary: [Webapp][Security] Ability to read files not in bundles
Product: [Eclipse Project] Platform Reporter: Chris Goldthorpe <cgold>
Component: User AssistanceAssignee: Chris Goldthorpe <cgold>
Status: VERIFIED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: benysh, ChrisAustin, john.arthorne, kleind, mukund, rahulk, raji, stephen.francisco, tcornell
Version: 3.4Keywords: security
Target Milestone: 3.6.1Flags: cgold: review? (ChrisAustin)
Hardware: PC   
OS: Windows XP   
Whiteboard:
Bug Depends on:    
Bug Blocks: 320424    
Attachments:
Description Flags
Patch none

Description Chris Goldthorpe CLA 2010-07-21 15:58:57 EDT 
+++ This bug was initially created as a clone of Bug #320424 +++
Bug 320424 contained two different issues and has been split into two clones to
cover each of the problems. 

This is the url to reproduce on Windows, paste this URL into Firefox.
http://localhost:8081/help/topic/org.eclipse.ua.tests/..\..\..\..\drivez.log

The problem also shows up in IE but you need to enter the URL like this

http://localhost:59449/help/topic/com.ibm.collaboration.realtime.help/..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cboot.ini
Comment 1 Chris Goldthorpe CLA 2010-07-21 16:07:46 EDT 
Created attachment 174909 [details]
Patch

Patch to detect "..\" in the path. I need to verify that there are no other sequences such as ../ which cause problems.
Comment 2 Chris Goldthorpe CLA 2010-07-23 12:28:29 EDT 
Chris, can you review this patch?
Comment 3 Chris Austin CLA 2010-07-23 13:28:02 EDT 
(In reply to comment #2)
> Chris, can you review this patch?

Yes, I have reviewed it and it seems to prevent the vulnerability.  I have also tried ../, C:\file.txt, .+.\, .''.\, . .\ and these did not work either.  I can't think of any other tests off the top of my head.
Comment 4 rahulk CLA 2010-07-23 13:34:46 EDT 
Patch looks good to me too Chris. Thanks for the quick turnaround!
Comment 5 Chris Goldthorpe CLA 2010-07-26 13:07:24 EDT 
Patch applied to HEAD
Comment 6 Chris Goldthorpe CLA 2010-07-26 13:24:10 EDT 
Patch applied to 3.6 maintenance stream, fixed. I will remove the security flag in a week or two to give time to update infocenters.
Comment 7 Chris Goldthorpe CLA 2010-08-18 19:11:37 EDT 
The patch has been applied to the 3.5 maintenance stream
Comment 8 Chris Goldthorpe CLA 2010-08-19 00:42:42 EDT 
This patch has been applied to the 3.4 maintenance stream
Comment 9 Chris Goldthorpe CLA 2010-09-01 18:18:53 EDT 
Verified in M20100901-0800
Comment 10 John Arthorne CLA 2011-06-10 14:21:58 EDT 
Removing security restriction for bugs that have been fixed in 3.6.2 or earlier.