Community
Participate
Working Groups
This is very similar to bug #317055. In the FramesetFiler.java servlet, we parse the url, modify it and return it to be used in the html (javascript). That url is vulnerable to a XSS attack in the javascript. We encoded the URL (req.getPathInfo()), but not the query param (req.getQueryString()). With url: /topic/somehtml.html?cp=0_4_4");alert(15)// The html will be if( self == top ){ var anchorParam = location.hash.length > 0 ? '\u0026anchor=' + location.hash.substr(1) : ''; window.location.replace( "../../../../index.jsp?topic=%2Fcom.faxserver.help%2Frefguide%2Fsite_configuration%2Fgeneral_settings_properties_ocr.html\u0026cp=0_4_4");alert(15);//" + anchorParam); } (Found in 3.8.2, but that code was not updated in the latest version) Working on a patch, but the change would be to the file: src/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java and adding: query = URLEncoder.encode(query, "UTF-8"); //$NON-NLS-1$ at line 78, just above: url = url + UrlUtil.JavaScriptEncode("&") + query; //$NON-NLS-1$ Should this be committers-only ?
(In reply to Laurence Labonté from comment #0) > > Should this be committers-only ? You mean because the potential vulnerability? Would be better. Could you submit the change to Gerrit, please?
New Gerrit change created: https://git.eclipse.org/r/150514
Gerrit change https://git.eclipse.org/r/150514 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.ua.git/commit/?id=1118a515ccd3d23ab8a00cc6a28c78b056982827
Thanks Laurence!
