diff --git a/CVE-2020-27225.patch b/CVE-2020-27225.patch new file mode 100644 index 0000000000000000000000000000000000000000..39bda315432d59506eeab23270f0f5e41a31f296 --- /dev/null +++ b/CVE-2020-27225.patch @@ -0,0 +1,354 @@ +From 28aac2514656c669ffa16acb996c77def3d4a8d4 Mon Sep 17 00:00:00 2001 +From: Andrew Johnson +Date: Tue, 16 Feb 2021 21:40:49 +0000 +Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to + R4_11_maintenance branch + +Change-Id: I09cee753dc24d55a2704b80ae13d392d233aac0d +Task-Url: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855 +Signed-off-by: Andrew Johnson (cherry picked from commit 90661664f30d4e1225e4a68b179c6ee110cd7f75) +Also-by: Niraj Modi +--- + org.eclipse.help.base/META-INF/MANIFEST.MF | 2 +- + org.eclipse.help.base/pom.xml | 2 +- + .../eclipse/help/internal/base/BaseHelpSystem.java | 29 ++++++++++++- + .../eclipse/help/internal/base/HelpDisplay.java | 10 ++++- + org.eclipse.help.webapp/META-INF/MANIFEST.MF | 2 +- + org.eclipse.help.webapp/advanced/livehelp_js.jsp | 12 +++++- + org.eclipse.help.webapp/index.jsp | 32 ++++++++++++--- + org.eclipse.help.webapp/pom.xml | 2 +- + .../help/internal/webapp/data/LayoutData.java | 7 +++- + .../internal/webapp/servlet/LiveHelpServlet.java | 48 +++++++++++++++++++++- + 10 files changed, 129 insertions(+), 17 deletions(-) + +diff --git a/org.eclipse.help.base/META-INF/MANIFEST.MF b/org.eclipse.help.base/META-INF/MANIFEST.MF +index 4ad860070..398a6829a 100644 +--- a/org.eclipse.help.base/META-INF/MANIFEST.MF ++++ b/org.eclipse.help.base/META-INF/MANIFEST.MF +@@ -2,7 +2,7 @@ Manifest-Version: 1.0 + Bundle-ManifestVersion: 2 + Bundle-Name: %help_base_plugin_name + Bundle-SymbolicName: org.eclipse.help.base; singleton:=true +-Bundle-Version: 4.2.500.qualifier ++Bundle-Version: 4.2.501.qualifier + Bundle-Activator: org.eclipse.help.internal.base.HelpBasePlugin + Bundle-Vendor: %providerName + Bundle-Localization: plugin +diff --git a/org.eclipse.help.base/pom.xml b/org.eclipse.help.base/pom.xml +index b90d899f6..36f5145e9 100644 +--- a/org.eclipse.help.base/pom.xml ++++ b/org.eclipse.help.base/pom.xml +@@ -18,7 +18,7 @@ + + org.eclipse.help + org.eclipse.help.base +- 4.2.500-SNAPSHOT ++ 4.2.501-SNAPSHOT + eclipse-plugin + + true +diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +index 2ea5bf807..f9f09ae7a 100644 +--- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java ++++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2018 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -15,6 +15,7 @@ package org.eclipse.help.internal.base; + + import java.net.MalformedURLException; + import java.net.URL; ++ + import org.eclipse.core.runtime.CoreException; + import org.eclipse.core.runtime.IProduct; + import org.eclipse.core.runtime.IStatus; +@@ -59,6 +60,7 @@ public final class BaseHelpSystem { + private IBrowser browser; + private IBrowser internalBrowser; + private HelpDisplay helpDisplay = null; ++ private String liveHelpToken = null; + + private BaseHelpSystem() { + super(); +@@ -350,4 +352,29 @@ public final class BaseHelpSystem { + } + } + ++ /** ++ * Check supplied token against stored token. Clears the stored token if ++ * successful. ++ * ++ * @param helpSessionToken ++ * @return true if match successful ++ */ ++ public boolean matchOnceLiveHelpToken(String helpSessionToken) { ++ /* ++ * @FIXME - should we use a constant time comparison, and store/compare a ++ * cryptographic hash? ++ */ ++ if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { ++ // Enforce one-time use. ++ liveHelpToken = null; ++ return true; ++ } else { ++ return false; ++ } ++ } ++ ++ public void setLiveHelpToken(String helpSessionToken) { ++ liveHelpToken = helpSessionToken; ++ } ++ + } +diff --git a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +index 28ebfd10d..33a0e08fd 100644 +--- a/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java ++++ b/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2015 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; + + import java.io.UnsupportedEncodingException; + import java.net.URLEncoder; ++import java.nio.charset.StandardCharsets; ++import java.util.UUID; + + import org.eclipse.core.runtime.CoreException; + import org.eclipse.core.runtime.IConfigurationElement; +@@ -196,6 +198,12 @@ public class HelpDisplay { + String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ + helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); + } ++ String basehelp = getBaseURL(); ++ if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { ++ String sessid = UUID.randomUUID().toString(); ++ BaseHelpSystem.getInstance().setLiveHelpToken(sessid); ++ helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ ++ } + + BaseHelpSystem.getHelpBrowser(forceExternal) + .displayURL(helpURL); +diff --git a/org.eclipse.help.webapp/META-INF/MANIFEST.MF b/org.eclipse.help.webapp/META-INF/MANIFEST.MF +index 0c85d674e..c943158a6 100644 +--- a/org.eclipse.help.webapp/META-INF/MANIFEST.MF ++++ b/org.eclipse.help.webapp/META-INF/MANIFEST.MF +@@ -2,7 +2,7 @@ Manifest-Version: 1.0 + Bundle-ManifestVersion: 2 + Bundle-Name: %help_webapp_plugin_name + Bundle-SymbolicName: org.eclipse.help.webapp;singleton:=true +-Bundle-Version: 3.9.400.qualifier ++Bundle-Version: 3.9.401.qualifier + Bundle-Activator: org.eclipse.help.internal.webapp.HelpWebappPlugin + Bundle-Vendor: %providerName + Bundle-Localization: plugin +diff --git a/org.eclipse.help.webapp/advanced/livehelp_js.jsp b/org.eclipse.help.webapp/advanced/livehelp_js.jsp +index 23362f89e..6d04945d6 100644 +--- a/org.eclipse.help.webapp/advanced/livehelp_js.jsp ++++ b/org.eclipse.help.webapp/advanced/livehelp_js.jsp +@@ -1,5 +1,5 @@ + <%-- +- Copyright (c) 2000, 2018 IBM Corporation and others. ++ Copyright (c) 2000, 2021 IBM Corporation and others. + + This program and the accompanying materials + are made available under the terms of the Eclipse Public License 2.0 +@@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindow, pluginId, className, argument) + url=url.substring(0, i+1); + var encodedArg=encodeURIComponent(argument); + url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); +- ++ <% ++ Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ ++ // Validate token to protect against XSS ++ if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) { ++ %> ++ url=url+"&token=<%=token%>"; ++ <% ++ } ++ %> + // we need to find the toolbar frame. + // to do: cleanup this, including the location of the hidden livehelp frame. + var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; +diff --git a/org.eclipse.help.webapp/index.jsp b/org.eclipse.help.webapp/index.jsp +index 34d3e14ee..76b6564c1 100644 +--- a/org.eclipse.help.webapp/index.jsp ++++ b/org.eclipse.help.webapp/index.jsp +@@ -1,5 +1,5 @@ + <%-- +- Copyright (c) 2000, 2011 IBM Corporation and others. ++ Copyright (c) 2000, 2021 IBM Corporation and others. + + This program and the accompanying materials + are made available under the terms of the Eclipse Public License 2.0 +@@ -12,9 +12,11 @@ + IBM Corporation - initial API and implementation + --%> + <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> ++<%@ page import="java.util.UUID" %> ++<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> + <% + request.setCharacterEncoding("UTF-8"); +- ServerState.webappStarted(application,request, response); ++ ServerState.webappStarted(application,request, response); + // Read the scope parameter + RequestScope.setScopeFromRequest(request, response); + LayoutData data = new LayoutData(application,request, response); +@@ -38,9 +40,27 @@ + + + <% +- }else if(data.isAdvancedUI()){ +- request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); +- }else{ +- request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); ++ } else { ++ // For live help ++ String token = request.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$ ++ if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { ++ // Only one session can grab this ++ if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ ++ String token2 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ ++ int port = request.getLocalPort(); ++ response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ ++ String token3 = UUID.randomUUID().toString(); ++ request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ ++ } ++ } ++ } ++ ++ if(data.isAdvancedUI()){ ++ request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); ++ } else { // legacy UI ++ request.getRequestDispatcher("/basic/index.jsp" + data.getQuery()).forward(request, response); ++ } + } + %> +diff --git a/org.eclipse.help.webapp/pom.xml b/org.eclipse.help.webapp/pom.xml +index 51e7cc9e7..e02982e8c 100644 +--- a/org.eclipse.help.webapp/pom.xml ++++ b/org.eclipse.help.webapp/pom.xml +@@ -18,7 +18,7 @@ + + org.eclipse.help + org.eclipse.help.webapp +- 3.9.400-SNAPSHOT ++ 3.9.401-SNAPSHOT + eclipse-plugin + + +diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +index d5183e1ab..49a45423b 100644 +--- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java ++++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2016 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -46,6 +46,11 @@ public class LayoutData extends RequestData { + + // initialize the query string + String qs = request.getQueryString(); ++ // Remove any live help token ++ if (qs != null) { ++ qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ ++ } + if (qs != null && qs.length() > 0) + query = "?" + qs; //$NON-NLS-1$ + } +diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +index ded00b1c1..a2959a6a8 100644 +--- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java ++++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +@@ -1,5 +1,5 @@ + /******************************************************************************* +- * Copyright (c) 2000, 2015 IBM Corporation and others. ++ * Copyright (c) 2000, 2021 IBM Corporation and others. + * + * This program and the accompanying materials + * are made available under the terms of the Eclipse Public License 2.0 +@@ -14,8 +14,8 @@ + package org.eclipse.help.internal.webapp.servlet; + + import java.io.IOException; +- + import javax.servlet.ServletException; ++import javax.servlet.http.Cookie; + import javax.servlet.http.HttpServlet; + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; +@@ -51,6 +51,45 @@ public class LiveHelpServlet extends HttpServlet { + return; + } + req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ ++ String sessionid = req.getSession().getId(); ++ Cookie cookies[] = req.getCookies(); ++ boolean jsessOK = false; ++ boolean xsessOK = false; ++ boolean lsessOK = false; ++ // Unique session ID per help server ++ int port = req.getLocalPort(); ++ String xsessname = "XSESSION-" + port; //$NON-NLS-1$ ++ if (cookies != null) { ++ for (Cookie cookie : cookies) { ++ if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ ++ if (sessionid.length() >= 30 && ++ cookie.getValue().startsWith(sessionid)) { ++ jsessOK = true; ++ } ++ } ++ if (cookie.getName().equals(xsessname)) { ++ if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ ++ xsessOK = true; ++ } ++ } ++ } ++ } ++ String token = req.getParameter("token"); //$NON-NLS-1$ ++ if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ ++ lsessOK = true; ++ } ++ if (!jsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ ++ return; ++ } ++ if (!lsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ ++ return; ++ } ++ if (!xsessOK) { ++ resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); ++ return; ++ } + String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ + if (pluginID == null) + return; +@@ -59,6 +98,11 @@ public class LiveHelpServlet extends HttpServlet { + return; + String arg = req.getParameter("arg"); //$NON-NLS-1$ + BaseHelpSystem.runLiveHelp(pluginID, className, arg); ++ /* ++ * @FIXME Should runLiveHelp return an error if the plugin/class is wrong ++ * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? ++ */ ++ resp.setStatus(HttpServletResponse.SC_ACCEPTED); + } + /** + * +-- +cgit v1.2.3 + diff --git a/eclipse.spec b/eclipse.spec index 38908bbdf4996c25a00e39c334c1c0820d69348f..ad7c90a6aa089f4c7c7afe4e74eef7322c580aad 100644 --- a/eclipse.spec +++ b/eclipse.spec @@ -11,7 +11,7 @@ Name: eclipse Epoch: 1 Version: 4.11 -Release: 4 +Release: 5 Summary: An open, extensible IDE License: EPL-2.0 URL: http://www.eclipse.org/ @@ -37,6 +37,8 @@ Patch29: fix_ant_build.patch Patch30: eclipse-hide-droplets-from-install-wizard.patch Patch31: org-eclipse-swt.patch Patch32: BUILD-FAILED-with-compilation-failure-in-org-eclipse-test.patch +# https://git.eclipse.org/c/platform/eclipse.platform.ua.git/commit/?id=28aac2514656c669ffa16acb996c77def3d4a8d4 +Patch33: CVE-2020-27225.patch ExcludeArch: s390 %{arm} %{ix86} BuildRequires: maven-local tycho tycho-extras cbi-plugins maven-antrun-plugin BuildRequires: maven-assembly-plugin maven-dependency-plugin maven-enforcer-plugin @@ -205,6 +207,9 @@ rm -rf rt.equinox.binaries/org.eclipse.equinox.executable/{bin,contributed}/ %patch30 -p1 %patch31 %patch32 -p1 +pushd eclipse.platform.ua +%patch33 -p1 +popd rm eclipse.platform.swt/tests/org.eclipse.swt.tests.gtk/ManualTests/org/eclipse/swt/tests/gtk/accessibility/Bug543949_ComponentExtentsTest.py %pom_remove_dep :tycho-buildtimestamp-jgit eclipse-platform-parent %pom_remove_dep :tycho-sourceref-jgit eclipse-platform-parent @@ -747,6 +752,9 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist} %{_eclipsedir}/plugins/org.eclipse.osgi.util_* %changelog +* Thu Jul 14 2022 wangkai - 1:4.11-5 +- Fix CVE-2020-27225 + * Wed Feb 16 2022 yaoxin - 1:4.11-4 - Fix build error in org.eclipse.test.