Bug 114902 - [EditorMgmt] Security hazard with .bat/.exe/script files in Eclipse projects
Summary: [EditorMgmt] Security hazard with .bat/.exe/script files in Eclipse projects
Status: NEW
Alias: None
Product: Platform
Classification: Eclipse Project
Component: UI (show other bugs)
Version: 3.2   Edit
Hardware: PC Windows 2000
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Platform UI Triaged CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-03 06:54 EST by Oyvind Harboe CLA
Modified: 2019-09-06 16:07 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oyvind Harboe CLA 2005-11-03 06:54:12 EST 
Windows, in its wisdom, will have as a defualt action for e.g. ".bat" files to
execute them.

To reproduce:

1. commit a virus/worm to a CVS repository(having a .exe or .bat or script file 
   extension). Sure, a "malicious CVS repository" is a bit contrived, but
   a machine infected by other means may cause someone to accidentally commit
   a virus. It is perfectly normal to commit .bat & .exe files to a CVS
   repository and such .exe & .bat files might become infected.

   It may be a stretch to mistrust files from a CVS server to
   the degree that one would mistrust files downloaded into a web-browser
   cache, but the risk is not vanishingly small.
2. check out a project from the CVS repository containing the virus/worm
3. At this point it is easy to accidentally execute the file, e.g:

   - Search for a term that appears in the virus/worm. Clicking next
     in the search view will execute the file.
   - Double click on a .bat file to edit it. If the system editor is
Comment 1 Michael Valenta CLA 2005-11-03 08:59:26 EST 
So, the problem is that windows will run a bat file without prompting the user 
to warn them that it may contain malicious code. In a way, this makes sense 
since windows doesn't know that the bat file came from another machine. You're 
suggesting that, because Eclipse knowns the bat file came from CVS (or any 
repository for that matter), it should warn the user before using a system 
editor on the file. Moving to UI since they handle editor opening.
Comment 2 Oyvind Harboe CLA 2005-11-03 09:20:05 EST 
(In reply to comment #1)
> So, the problem is that windows will run a bat file without prompting the user 
> to warn them that it may contain malicious code. In a way, this makes sense 
> since windows doesn't know that the bat file came from another machine. You're 
> suggesting that, because Eclipse knowns the bat file came from CVS (or any 
> repository for that matter), it should warn the user before using a system 
> editor on the file. Moving to UI since they handle editor opening.

I guess it is impossible for Eclipse to know which of the System editors that
are unsafe and therefore the system editor should never be opened "accidentally". 

E.g. clicking "Next" in the Search view should not invoke the system editor.
Comment 3 Michael Van Meekeren CLA 2006-04-21 13:19:28 EDT 
Moving Dougs bugs
Comment 4 Susan McCourt CLA 2009-07-09 19:08:21 EDT 
As per http://wiki.eclipse.org/Platform_UI/Bug_Triage_Change_2009
Comment 5 Boris Bokowski CLA 2009-11-17 13:00:13 EST 
Remy is now responsible for watching the [EditorMgmt] component area.
Comment 6 Eclipse Webmaster CLA 2019-09-06 16:07:41 EDT 
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.