Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
eclipse
eclipse-CVE-2020-27225.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File eclipse-CVE-2020-27225.patch of Package eclipse
From 213812355860e3732e1b28e620df31db8ff160aa Mon Sep 17 00:00:00 2001 From: Andrew Johnson Date: Mon, 15 Mar 2021 20:53:01 +0530 Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to R4_15_maintenance branch Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java @@ -59,6 +59,7 @@ public final class BaseHelpSystem { private IBrowser browser; private IBrowser internalBrowser; private HelpDisplay helpDisplay = null; + private String liveHelpToken = null; private BaseHelpSystem() { super(); @@ -350,4 +351,29 @@ public final class BaseHelpSystem { } } + /** + * Check supplied token against stored token. Clears the stored token if + * successful. + * + * @param helpSessionToken + * @return true if match successful + */ + public boolean matchOnceLiveHelpToken(String helpSessionToken) { + /* + * @FIXME - should we use a constant time comparison, and store/compare a + * cryptographic hash? + */ + if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { + // Enforce one-time use. + liveHelpToken = null; + return true; + } else { + return false; + } + } + + public void setLiveHelpToken(String helpSessionToken) { + liveHelpToken = helpSessionToken; + } + } Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java @@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.UUID; import org.eclipse.core.runtime.CoreException; import org.eclipse.core.runtime.IConfigurationElement; @@ -196,6 +198,12 @@ public class HelpDisplay { String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); } + String basehelp = getBaseURL(); + if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { + String sessid = UUID.randomUUID().toString(); + BaseHelpSystem.getInstance().setLiveHelpToken(sessid); + helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ + } BaseHelpSystem.getHelpBrowser(forceExternal) .displayURL(helpURL); Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp @@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindo url=url.substring(0, i+1); var encodedArg=encodeURIComponent(argument); url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); - + <% + Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ + // Validate token to protect against XSS + if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) { + %> + url=url+"&token=<%=token%>"; + <% + } + %> // we need to find the toolbar frame. // to do: cleanup this, including the location of the hidden livehelp frame. var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp @@ -12,9 +12,11 @@ IBM Corporation - initial API and implementation --%> <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> +<%@ page import="java.util.UUID" %> +<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> <% request.setCharacterEncoding("UTF-8"); - ServerState.webappStarted(application,request, response); + ServerState.webappStarted(application,request, response); // Read the scope parameter RequestScope.setScopeFromRequest(request, response); LayoutData data = new LayoutData(application,request, response); @@ -33,7 +35,22 @@ </body> </html> <% - }else { + } else { + // For live help + String token = request.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$ + if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { + // Only one session can grab this + if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ + String token2 = UUID.randomUUID().toString(); + request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ + int port = request.getLocalPort(); + response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1 //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + String token3 = UUID.randomUUID().toString(); + request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ + } + } + } request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); } %> Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java @@ -46,6 +46,11 @@ public class LayoutData extends RequestD // initialize the query string String qs = request.getQueryString(); + // Remove any live help token + if (qs != null) { + qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + } if (qs != null && qs.length() > 0) query = "?" + qs; //$NON-NLS-1$ } Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java @@ -14,8 +14,8 @@ package org.eclipse.help.internal.webapp.servlet; import java.io.IOException; - import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -51,6 +51,45 @@ public class LiveHelpServlet extends Htt return; } req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ + String sessionid = req.getSession().getId(); + Cookie cookies[] = req.getCookies(); + boolean jsessOK = false; + boolean xsessOK = false; + boolean lsessOK = false; + // Unique session ID per help server + int port = req.getLocalPort(); + String xsessname = "XSESSION-" + port; //$NON-NLS-1$ + if (cookies != null) { + for (Cookie cookie : cookies) { + if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ + if (sessionid.length() >= 30 && + cookie.getValue().startsWith(sessionid)) { + jsessOK = true; + } + } + if (cookie.getName().equals(xsessname)) { + if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ + xsessOK = true; + } + } + } + } + String token = req.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ + lsessOK = true; + } + if (!jsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ + return; + } + if (!lsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ + return; + } + if (!xsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); + return; + } String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ if (pluginID == null) return; @@ -59,6 +98,11 @@ public class LiveHelpServlet extends Htt return; String arg = req.getParameter("arg"); //$NON-NLS-1$ BaseHelpSystem.runLiveHelp(pluginID, className, arg); + /* + * @FIXME Should runLiveHelp return an error if the plugin/class is wrong + * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? + */ + resp.setStatus(HttpServletResponse.SC_ACCEPTED); } /** *
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
