commit | b82abfec2cde609c49e4b5d7fd98b7065bdb9840 | [log] [tgz] |
---|---|---|
author | Matthias Villiger <mvi@bsi-software.com> | Thu Jun 21 14:09:15 2018 +0200 |
committer | Matthias Villiger <mvi@bsi-software.com> | Thu Jun 21 15:43:37 2018 +0200 |
tree | 6f11687015f844188fe78998c3126d560b1158dd | |
parent | 283bf223560c8326d55b1dc6511f020b8934f3da [diff] |
Central path protection for UiServlet and REST resources The resource loaders (org.eclipse.scout.rt.ui.html.res.loader.IResourceLoader) are used to load resources on the UI server and send them to the browser. The current implementation of the org.eclipse.scout.rt.ui.html.res.loader.IconLoader does not validate the requested resource path which allows to request any resource on the UI server classpath. This requires a special GET request crafted to bypass the servlet containers URI validation which only validates forward-slashes (/). But if backslash-path delimters are passed to the server these are accepted by the container and forwarded to the servlet. Because ClassLoaders and Java File API supports both slash types this allows to access resources outside of folders that are designed to be accessible by clients. The following example request bypasses the URI validation of the container and uses 1. the IconLoader which does not validate the requested path 2. and the capability of the java ClassLoader to understand backslashes as path delimiters: http://localhost:8082/icon/..%5C..%5C..%5C..%5C..%5Cconfig.properties In that example the config.properties file of the UI Server is returned to the client. This properties file contains sensitive information like passwords or private keys. In general any resource on the classpath can be accessed. This includes class files which allows to dump the whole application byte code. The /icon/ path of a Scout application is typically only available for logged in users. Therefore (if this default configuration is not changed) a valid login is required to perform the attack. 229542 Change-Id: I9a391c125284b9681fc66a1ce7c7e103277d0fe3
[Eclipse Scout] 1 is a mature and open framework for modern, service oriented business applications. It substantially boosts developer productivity and is simple to learn.
This Repository Eclipse Scout RT contains the source for the runtime components embedded in the applications build on top of the Eclipse Scout Framework.
The content of this repository is build on the Eclipse infrastructure and the different versions are available on several [P2 Update Sites] 2.
The easiest way to start with Eclipse Scout is to download Eclipse for Scout Developers Eclipse for Scout Developers on the [Eclipse downloads page] 3.
We welcome any kind of contributions (Bug report, documentation, code contribution...). Please read the [Eclipse Scout Contribution page] 7 to know more about it.
The contribution process of Eclipse Scout is hosted on tools deployed by the Eclipse Foundation (involing [Bugzilla] 6, Gerrit, Hudson, MediaWiki...).
External tools like the GitHub tracker and pull requests are not supported.
To get in touch with the Eclipse Scout community, please open a thread in the [Eclipse Scout Forum] 5 or send a mail to [our mailing list] 8: scout-dev@eclipse.org
[Eclipse Public License (EPL) v1.0] 9