Community
Participate
Working Groups
The following URL displaying the source code of the file, which one my customer reported as a vulnerability. https://xxxxx:16311/ibm/help/ver362.3/advanced/tocView.JSP, it is happing only on windows operating system only. It seems to be happening only with uppercase "JSP" extension. Could you please have a look into this and update us ASAP.
It has been over more than 2 weeks and no response on my query, could please suggest on this, my customer is about to escalate this issue. Thanks & Regards, N Kishore Kumar, IBM, Banglore
*** Bug 526986 has been marked as a duplicate of this bug. ***
*** Bug 526987 has been marked as a duplicate of this bug. ***
Hi, I have created other defects on the same issue, since there is no response on this original defect. Could you please suggest on this issue, it is very critical, one of my customer is waiting for the solution.
Please provide a detailed steps to reproduce the problem.
Hi, Not sure how to progress on this issue, I didn't receive any support from you, I was waiting from last one month. It became business critical now, my client very rush to have a fix on this. Could you please respond on this ASAP.
(In reply to Kishore Kumar from comment #6) > Hi, > > Not sure how to progress on this issue, I didn't receive any support from > you, I was waiting from last one month. It became business critical now, my > client very rush to have a fix on this. > > Could you please respond on this ASAP. Please read comment 5.
This might happen due to a wrong configuration of the Help server (just a guess). Out of the box (e.g. with http://download.eclipse.org/eclipse/downloads/drops4/S-4.8M3a-201710300400/) I cannot reproduce the problem but I can reproduce launching a target workspace out of my IDE workspace. Test Case (for Windows): 1. Start Eclipse (used 4.8 M3a) with a new workspace 2. Import 'org.eclipse.help.webapp' from the target or Git 3. Start a new Eclipse Application and in there: 4. In the Help preferences choose the external browser to open help contents 5. Help > Help Contents 6. In the browser's location field replace "index.jsp" with "advanced/tocView.JSP" (note the uppercase file extension) ==> The JSP source will be displayed. This happens for all JSPs. This happens with Firefox and IE. If 'org.eclipse.help.webapp' is removed, the problem does not appear.
(In reply to Dani Megert from comment #8) > This might happen due to a wrong configuration of the Help server (just a > guess). > > Out of the box (e.g. with > http://download.eclipse.org/eclipse/downloads/drops4/S-4.8M3a-201710300400/) > I cannot reproduce the problem but I can reproduce launching a target > workspace out of my IDE workspace. > > Test Case (for Windows): > 1. Start Eclipse (used 4.8 M3a) with a new workspace > 2. Import 'org.eclipse.help.webapp' from the target or Git > 3. Start a new Eclipse Application and in there: > 4. In the Help preferences choose the external browser to open help > contents > 5. Help > Help Contents > 6. In the browser's location field replace "index.jsp" with > "advanced/tocView.JSP" (note the uppercase file extension) > > ==> The JSP source will be displayed. This happens for all JSPs. > > This happens with Firefox and IE. > > > If 'org.eclipse.help.webapp' is removed, the problem does not appear. From my preliminary investigation, I have seen that the difference between using the jar file and the imported jar plugin is that, in the Class org.eclipse.osgi.storage.Storage the bundle file(org.eclipse.osgi.storage.bundlefile.BundleFile) used is different in both the cases 1) For the jar file the Bundle file is org.eclipse.osgi.storage.bundlefile.ZipBundleFile which does a case sensitive search for the file using java.util.zip.ZipFile and therefore does not find the file "advanced/tocView.JSP" 2) For the imported plugin directory, the Bundle file used is org.eclipse.osgi.storage.bundlefile.DirBundleFile which uses java File.exists() which is case insensitive and therefore finds the file "advanced.tocView.JSP"
New Gerrit change created: https://git.eclipse.org/r/113164
Here is the current behavior of Help webapp There are two extension points that act on the content of the 'advanced' folder 1) A servlet extension point which handles '/advanced/*.jsp' files. 2) A resource extension point which handles '/advanced' folder -> that is all files in the advanced folder. a) Now a search for '/advanced/tocView.jsp' matches the 1st extension point . So the servlet is processed and served correctly. b) A search for '/advanced/tocView.JSP' does not match the 1st extension point , but matches the second extension point. Now a search is made for a resource named 'tocView.JSP' in the advanced folder. i) If the jar file was being used, as stated before, the search is case sensitive and therefore no file is found. ii) If the plugin is used, the search is case insensitive and the file is found and as a resource, the content of the file is sent. c) A search for '/advanced/indexView.js' does not match the 1st extensionpoint, but matches the second extension point. Now a search is made for a resource named 'indexView.js' in the advanced folder. in both the cases either using a plugin or a jar, the file is found and as a resource the content of the file is sent.
The Gerrit change: https://git.eclipse.org/r/113164 handles this case as described below. In the patch provided: The Resource extension point for advanced folder has been modified to advanced/images folder Servlet extensions for 1) advanced/*.js 2) advanced/*.css 3) advanced/*.html have been created and a new class 'FilterCallsServlet' is created to handle these requests The filter is based on whether the HttpServletRequest has a referrer and coming from within the help path. The Remaining code which handles the reading the resource content is taken from org.eclipse.equinox.http.servlet.internal.servlet.ResourceServlet This fixes 1) calls to advanced/*.JSP does not match any of the extensions, so the resource is not found 2) calls to advanced/*.js matches the new extension which is filtered by FilterCallsServlet and allows only those calls called from within help and not the direct calls. @tjwatson Does equinox provide a way to handle non jsp files? If so then we could use that instead of replicating Equinox code here.
(In reply to Kalyan Prasad Tatavarthi from comment #11) > c) A search for '/advanced/indexView.js' does not match the 1st > extensionpoint, but matches the second extension point. > Now a search is made for a resource named 'indexView.js' in the advanced > folder. > in both the cases either using a plugin or a jar, the file is found and as > a resource the content of the file is sent. Is this also considered an issue? I don't think the serving up of the *.js resources can be considered an Equinox issue. It is doing exactly what the extensions told it to do in this case.
(In reply to Kalyan Prasad Tatavarthi from comment #12) > @tjwatson Does equinox provide a way to handle non jsp files? > If so then we could use that instead of replicating Equinox code here. See bug 395274. If you have this kind of setup with an exploded app jar then you will need to set the following config property to ensure string checking of the resource name case for DirBundleFile osgi.strictBundleEntryPath=true
(In reply to Thomas Watson from comment #14) > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > @tjwatson Does equinox provide a way to handle non jsp files? > > If so then we could use that instead of replicating Equinox code here. > > See bug 395274. If you have this kind of setup with an exploded app jar > then you will need to set the following config property to ensure string > checking of the resource name case for DirBundleFile > > osgi.strictBundleEntryPath=true Set this property in the configuration/config.ini file or you can set it as a -D option in the eclipse.ini file as a separate line after the -vmargs line: -Dosgi.strictBundleEntryPath=true
(In reply to Thomas Watson from comment #15) > (In reply to Thomas Watson from comment #14) > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > If so then we could use that instead of replicating Equinox code here. > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > then you will need to set the following config property to ensure string > > checking of the resource name case for DirBundleFile > > > > osgi.strictBundleEntryPath=true > > Set this property in the configuration/config.ini file or you can set it as > a -D option in the eclipse.ini file as a separate line after the -vmargs > line: > > -Dosgi.strictBundleEntryPath=true Sravan, can you add that please. What about the *.js where the source is shown? What should be add to plugin.xml?
(In reply to Thomas Watson from comment #15) > (In reply to Thomas Watson from comment #14) > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > If so then we could use that instead of replicating Equinox code here. > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > then you will need to set the following config property to ensure string > > checking of the resource name case for DirBundleFile > > > > osgi.strictBundleEntryPath=true > > Set this property in the configuration/config.ini file or you can set it as > a -D option in the eclipse.ini file as a separate line after the -vmargs > line: > > -Dosgi.strictBundleEntryPath=true I have tried both the options In the Eclipse install directory 1)add the line osgi.strictBundleEntryPath=true in a new line in the file configuration/config.ini (or) 2) add the -option -Dosgi.strictBundleEntryPath=true in the file eclipse.ini in a new line after -vmargs And using any of these options fixes this issue. Thanks Thomas.
(In reply to Thomas Watson from comment #13) > (In reply to Kalyan Prasad Tatavarthi from comment #11) > > c) A search for '/advanced/indexView.js' does not match the 1st > > extensionpoint, but matches the second extension point. > > Now a search is made for a resource named 'indexView.js' in the advanced > > folder. > > in both the cases either using a plugin or a jar, the file is found and as > > a resource the content of the file is sent. > > Is this also considered an issue? I don't think the serving up of the *.js > resources can be considered an Equinox issue. It is doing exactly what the > extensions told it to do in this case. This is considered an issue if a direct call to http://127.0.0.1:PORTNUMBER/help/advanced/indexView.js displays the file content. The correct behavior would be that this call should be allowed from within help context but not directly. So is there a way by which equinox provides this facility?
(In reply to Kalyan Prasad Tatavarthi from comment #18) > (In reply to Thomas Watson from comment #13) > > (In reply to Kalyan Prasad Tatavarthi from comment #11) > > > c) A search for '/advanced/indexView.js' does not match the 1st > > > extensionpoint, but matches the second extension point. > > > Now a search is made for a resource named 'indexView.js' in the advanced > > > folder. > > > in both the cases either using a plugin or a jar, the file is found and as > > > a resource the content of the file is sent. > > > > Is this also considered an issue? I don't think the serving up of the *.js > > resources can be considered an Equinox issue. It is doing exactly what the > > extensions told it to do in this case. > > This is considered an issue if a direct call to > http://127.0.0.1:PORTNUMBER/help/advanced/indexView.js > > displays the file content. > > The correct behavior would be that this call should be allowed from within > help context but not directly. So is there a way by which equinox provides > this facility? If the resources are not meant to be access externally then why place them in a folder that is being used to serve resources externally? For resources you need to read internally why go through the http service layer at all? Why not just read the resource locally using things like getResource? There is nothing I'm aware of built into equinox to do what you are wanting.
Hi Kalyan, I have tried the following suggestion, add the line osgi.strictBundleEntryPath=true in a new line in the file configuration/config.ini It seems to be not fixed our issue. Could you please suggest us on further actions. Thanks & Regards, N Kishore Kumar, IBM
(In reply to Kishore Kumar from comment #20) > Hi Kalyan, > > I have tried the following suggestion, > > add the line > osgi.strictBundleEntryPath=true > in a new line in the file configuration/config.ini > > It seems to be not fixed our issue. Could you please suggest us on further > actions. > > Thanks & Regards, > > N Kishore Kumar, > IBM As per the information provided in Comment 14 and Comment 15, The fix was provided as part of the bug 395274 This Fix was provided in Eclipse 4.3 you will need to use this version of Eclipse or newer versions of Eclipse to use this fix.
(In reply to Dani Megert from comment #16) > (In reply to Thomas Watson from comment #15) > > (In reply to Thomas Watson from comment #14) > > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > > If so then we could use that instead of replicating Equinox code here. > > > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > > then you will need to set the following config property to ensure string > > > checking of the resource name case for DirBundleFile > > > > > > osgi.strictBundleEntryPath=true > > > > Set this property in the configuration/config.ini file or you can set it as > > a -D option in the eclipse.ini file as a separate line after the -vmargs > > line: > > > > -Dosgi.strictBundleEntryPath=true > > Sravan, can you add that please. > > > What about the *.js where the source is shown? What should be add to > plugin.xml? We can add this to our ini file but I don't think that will help. The inin files are specific to products. We will be adding this to platform, sdk and equinox products. but the this won't affect epp or IES products
Hi Kalyan, I have tried to upgrade eclipse to resolve this issue based on our discussion. But as per my understand the eclipse help jar which we are using is latest (org.eclipse.help.base_3.6.101.v201301310800.jar ) and not able to move further on this issue and it is becoming aged PMR. Could you please help us on this, until the issue get resolve. Thanks & Regards, N Kishore Kumar, IBM, Bangalore
(In reply to Kishore Kumar from comment #23) > Hi Kalyan, > > I have tried to upgrade eclipse to resolve this issue based on our > discussion. But as per my understand the eclipse help jar which we are using > is latest (org.eclipse.help.base_3.6.101.v201301310800.jar ) and not able to > move further on this issue and it is becoming aged PMR. > > Could you please help us on this, until the issue get resolve. Did you try to add the mentioned settings to the product INI file?
(In reply to Kishore Kumar from comment #23) > Hi Kalyan, > > I have tried to upgrade eclipse to resolve this issue based on our > discussion. But as per my understand the eclipse help jar which we are using > is latest (org.eclipse.help.base_3.6.101.v201301310800.jar ) and not able to > move further on this issue and it is becoming aged PMR. > > Could you please help us on this, until the issue get resolve. > > Thanks & Regards, > > N Kishore Kumar, > IBM, Bangalore Hi Kishore, The Eclipse help plugin versions for Eclipse 4.3 are org.eclipse.help.base_4.0.0.v20130605-2000.jar org.eclipse.help.ui_4.0.0.v20130515-1955.jar org.eclipse.help.webapp_3.6.200.v20130514-1258.jar org.eclipse.help_3.6.0.v20130326-1254.jar The Details are available at http://download.eclipse.org/eclipse/updates/4.3/R-4.3-201306052000/plugins/?d Please use the Correct Eclipse 4.3 help plugins.
(In reply to Dani Megert from comment #16) > (In reply to Thomas Watson from comment #15) > > (In reply to Thomas Watson from comment #14) > > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > > If so then we could use that instead of replicating Equinox code here. > > > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > > then you will need to set the following config property to ensure string > > > checking of the resource name case for DirBundleFile > > > > > > osgi.strictBundleEntryPath=true > > > > Set this property in the configuration/config.ini file or you can set it as > > a -D option in the eclipse.ini file as a separate line after the -vmargs > > line: > > > > -Dosgi.strictBundleEntryPath=true > > Sravan, can you add that please. > > > What about the *.js where the source is shown? What should be add to > plugin.xml? The *.js files are downloaded as references and it is normal to be able to see them. What we could do, is to minify these *.js files and then use the minified *.js files, which would make reading of the *.js files difficult
This has been marked committers-only for a long time. Has this been resolved? Is there any reason why we should not disclose this issue? Do you need a CVE? https://www.eclipse.org/projects/handbook/#vulnerability
Kalyan please summarize the current state of this bug.
Per the Eclipse Foundation's policy regarding the disclosure of vulnerabilities after 90 days, I've removed the committers-only flag.
(In reply to Dani Megert from comment #28) > Kalyan please summarize the current state of this bug. The fix for this bug was specified in https://bugs.eclipse.org/bugs/show_bug.cgi?id=526392#c14 and https://bugs.eclipse.org/bugs/show_bug.cgi?id=526392#c15 This provides a solution for this bug. As specified in https://bugs.eclipse.org/bugs/show_bug.cgi?id=526392#c26 The *.js files are downloaded as references and it is normal to be able to see them. What users could do, is to minify these *.js files and then use the minified *.js files, which would make reading of the *.js files difficult. There is nothing further to do in this bug and it can be closed.
(In reply to Sravan Kumar Lakkimsetti from comment #22) > (In reply to Dani Megert from comment #16) > > (In reply to Thomas Watson from comment #15) > > > (In reply to Thomas Watson from comment #14) > > > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > > > If so then we could use that instead of replicating Equinox code here. > > > > > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > > > then you will need to set the following config property to ensure string > > > > checking of the resource name case for DirBundleFile > > > > > > > > osgi.strictBundleEntryPath=true > > > > > > Set this property in the configuration/config.ini file or you can set it as > > > a -D option in the eclipse.ini file as a separate line after the -vmargs > > > line: > > > > > > -Dosgi.strictBundleEntryPath=true > > > > Sravan, can you add that please. > > > > > > What about the *.js where the source is shown? What should be add to > > plugin.xml? > > We can add this to our ini file but I don't think that will help. The inin > files are specific to products. We will be adding this to platform, sdk and > equinox products. but the this won't affect epp or IES products This argument has not been added to the eclipse.ini file yet.
(In reply to Kalyan Prasad Tatavarthi from comment #31) > (In reply to Sravan Kumar Lakkimsetti from comment #22) > > (In reply to Dani Megert from comment #16) > > > (In reply to Thomas Watson from comment #15) > > > > (In reply to Thomas Watson from comment #14) > > > > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > > > > If so then we could use that instead of replicating Equinox code here. > > > > > > > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > > > > then you will need to set the following config property to ensure string > > > > > checking of the resource name case for DirBundleFile > > > > > > > > > > osgi.strictBundleEntryPath=true > > > > > > > > Set this property in the configuration/config.ini file or you can set it as > > > > a -D option in the eclipse.ini file as a separate line after the -vmargs > > > > line: > > > > > > > > -Dosgi.strictBundleEntryPath=true > > > > > > Sravan, can you add that please. > > > > > > > > > What about the *.js where the source is shown? What should be add to > > > plugin.xml? > > > > We can add this to our ini file but I don't think that will help. The inin > > files are specific to products. We will be adding this to platform, sdk and > > equinox products. but the this won't affect epp or IES products > > This argument has not been added to the eclipse.ini file yet. This bug is not reproducible in Eclipse 2020-03(4.15) release
(In reply to Kalyan Prasad Tatavarthi from comment #32) > (In reply to Kalyan Prasad Tatavarthi from comment #31) > > (In reply to Sravan Kumar Lakkimsetti from comment #22) > > > (In reply to Dani Megert from comment #16) > > > > (In reply to Thomas Watson from comment #15) > > > > > (In reply to Thomas Watson from comment #14) > > > > > > (In reply to Kalyan Prasad Tatavarthi from comment #12) > > > > > > > @tjwatson Does equinox provide a way to handle non jsp files? > > > > > > > If so then we could use that instead of replicating Equinox code here. > > > > > > > > > > > > See bug 395274. If you have this kind of setup with an exploded app jar > > > > > > then you will need to set the following config property to ensure string > > > > > > checking of the resource name case for DirBundleFile > > > > > > > > > > > > osgi.strictBundleEntryPath=true > > > > > > > > > > Set this property in the configuration/config.ini file or you can set it as > > > > > a -D option in the eclipse.ini file as a separate line after the -vmargs > > > > > line: > > > > > > > > > > -Dosgi.strictBundleEntryPath=true > > > > > > > > Sravan, can you add that please. > > > > > > > > > > > > What about the *.js where the source is shown? What should be add to > > > > plugin.xml? > > > > > > We can add this to our ini file but I don't think that will help. The inin > > > files are specific to products. We will be adding this to platform, sdk and > > > equinox products. but the this won't affect epp or IES products > > > > This argument has not been added to the eclipse.ini file yet. > > This bug is not reproducible in Eclipse 2020-03(4.15) release As specified in Comment 8, the bug was not reproducible in 4.8 also