Community
Participate
Working Groups
Need to backport this to 3.4.2+ +++ This bug was initially created as a clone of Bug #329193 +++ This is probably an upstream issue, but I will raise it here as it is reproducible in the IDE. If a ( or \ character is appended to a URL to the help system, then the source of the JSP page is rendered instead of the page itself. For the IDE, this is not a big issue (the code is opensource anyway), but if the issue is in the HttpServer or Jetty itself, then this is a significant security issue. We have check jetty 6.1.23, 6.1.26 and jetty-7 out of the box, and none of them are vulnerable to this issue. So it is something about the configuration of Jetty in eclipse IDE, the HttpService, or the JSP library used. So I've opened this issue here in the expectation that we can work upstream to identify which component/configuration is the cause. I will continue to evaluation jetty's handling of such requests and work out what mechanism is catching these URLs and thus work out what could be potentially be disabled in the IDE or RT. --------------------------- See bug328795 coment19 It looks like both the following methods need to sanitize input to escape '*': org.eclipse.equinox.http.registry.internal.DefaultRegistryHttpContext.ResourceMapping.getResource(String) org.eclipse.equinox.jsp.jasper.JspServlet.ServletContextAdaptor.getResource(String)
Created attachment 221531 [details] 3.4.2+ backport
Patch released to R3_4_maintenance branch.
(In reply to comment #2) > Patch released to R3_4_maintenance branch. Note that I also released this patch to R3_5_maintenance branch for any 3.5.2+ builds.
