Bug 378977

Summary: [Webapp] Possible security issue with JSP code exposure. - backport to 3.5.2+
Product: [Eclipse Project] Equinox Reporter: Steve Francisco <stephen.francisco>
Component: FrameworkAssignee: Thomas Watson <tjwatson>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: cgold, daniel_megert, gregw, jeffmcaffer, john.arthorne, Mike_Wilson, remy.suen, simon_kaegi, tjwatson, wayne.beaton, webmaster
Version: 3.5.2Keywords: security
Target Milestone: 3.5.2+   
Hardware: PC   
OS: Linux   
Whiteboard:
Bug Depends on: 328795, 328975, 329193, 378979    
Bug Blocks: 375751    
Attachments:
Description Flags
backport to 3.5.2+ none

Description Steve Francisco CLA 2012-05-09 09:16:09 EDT 
+++ This bug was initially created as a clone of Bug #328975 +++

This is probably an upstream issue, but I will raise it here as it is reproducible in the IDE.

If a ( or \ character is appended to a URL to the help system, then the source of the JSP page is rendered instead of the page itself.

For the IDE, this is not a big issue (the code is opensource anyway), but if the issue is in the HttpServer or Jetty itself, then this is a significant security issue.

We have check jetty 6.1.23, 6.1.26 and jetty-7 out of the box, and none of them are vulnerable to this issue.   So it is something about the configuration of Jetty in eclipse IDE, the HttpService, or the JSP library used.

So I've opened this issue here in the expectation that we can work upstream to identify which component/configuration is the cause.

I will continue to evaluation jetty's handling of such requests and work out what mechanism is catching these URLs and thus work out what could be potentially be disabled in the IDE or RT.
Comment 1 Thomas Watson CLA 2012-05-09 12:18:45 EDT 
Created attachment 215337 [details]
backport to 3.5.2+
Comment 2 Thomas Watson CLA 2012-05-09 12:26:44 EDT 
Released to R3_5_maintenance branch and map files updated with tag R35x_v20120509

The following bundles changed:

org.eclipse.osgi
org.eclipse.osgi.tests