Backport XSS security fixes to Eclipse 3.2 maintenance stream
diff --git a/org.eclipse.help.webapp/META-INF/MANIFEST.MF b/org.eclipse.help.webapp/META-INF/MANIFEST.MF index 7a6711e..c5d9ff6 100644 --- a/org.eclipse.help.webapp/META-INF/MANIFEST.MF +++ b/org.eclipse.help.webapp/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Bundle-ManifestVersion: 2 Bundle-Name: %help_webapp_plugin_name Bundle-SymbolicName: org.eclipse.help.webapp; singleton:=true -Bundle-Version: 3.2.2.qualifier +Bundle-Version: 3.2.3.qualifier Bundle-ClassPath: webapp.jar Bundle-Activator: org.eclipse.help.internal.webapp.HelpWebappPlugin Bundle-Vendor: %providerName
diff --git a/org.eclipse.help.webapp/advanced/confirm.jsp b/org.eclipse.help.webapp/advanced/confirm.jsp index 5bdb3f1..9f191be 100644 --- a/org.eclipse.help.webapp/advanced/confirm.jsp +++ b/org.eclipse.help.webapp/advanced/confirm.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2006 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -75,7 +75,7 @@ %> sizeButtons(); <%}%> - document.getElementById("<%=request.getParameter("initialFocus")%>").focus(); + document.getElementById("<%=UrlUtil.JavaScriptEncode(request.getParameter("initialFocus"))%>").focus(); } function sizeButtons() { @@ -93,10 +93,10 @@ try{ <% if ("true".equalsIgnoreCase(request.getParameter("dontaskagain")) ){ %> if(document.getElementById("dontask").checked){ - window.opener.<%=request.getParameter("dontaskagainCallback")%>; + window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("dontaskagainCallback"))%>; } <% } %> - window.opener.<%=request.getParameter("confirmCallback")%>; + window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("confirmCallback"))%>; } catch(e) {} window.close(); return false;
diff --git a/org.eclipse.help.webapp/advanced/help.jsp b/org.eclipse.help.webapp/advanced/help.jsp index 3090d20..ad3f62d 100644 --- a/org.eclipse.help.webapp/advanced/help.jsp +++ b/org.eclipse.help.webapp/advanced/help.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -134,13 +134,13 @@ <% if (isRTL) { %> - <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> - <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> + <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> + <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> <% } else { %> - <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> - <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> + <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes> + <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes> <% } %>
diff --git a/org.eclipse.help.webapp/advanced/index.jsp b/org.eclipse.help.webapp/advanced/index.jsp index 9bf393c..ac9b6c4 100644 --- a/org.eclipse.help.webapp/advanced/index.jsp +++ b/org.eclipse.help.webapp/advanced/index.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2009 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -69,8 +69,8 @@ <% } %> - <frame name="SearchFrame" title="<%=ServletResources.getString("helpToolbarFrame", request)%>" src='<%="advanced/search.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize=0> - <frame name="HelpFrame" title="<%=ServletResources.getString("ignore", "HelpFrame", request)%>" src='<%="advanced/help.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" > + <frame name="SearchFrame" title="<%=ServletResources.getString("helpToolbarFrame", request)%>" src='<%="advanced/search.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize=0> + <frame name="HelpFrame" title="<%=ServletResources.getString("ignore", "HelpFrame", request)%>" src='<%="advanced/help.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" > </frameset> </html>
diff --git a/org.eclipse.help.webapp/advanced/searchScoped.jsp b/org.eclipse.help.webapp/advanced/searchScoped.jsp index f85a944..814aff4 100644 --- a/org.eclipse.help.webapp/advanced/searchScoped.jsp +++ b/org.eclipse.help.webapp/advanced/searchScoped.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -234,8 +234,8 @@ <a id="scopeLabel" href="javascript:openAdvanced();" title='<%=ServletResources.getString("ScopeTooltip", request)%>' alt='<%=ServletResources.getString("ScopeTooltip", request)%>' onmouseover="window.status='<%=ServletResources.getString("ScopeTooltip", request)%>'; return true;" onmouseout="window.status='';"><%=ServletResources.getLabel("Scope", request)%>:</a> </td> <td nowrap> - <input type="hidden" name="workingSet" value='<%=data.getScope()%>'> - <div id="scope" ><%=data.getScope()%></div> + <input type="hidden" name="workingSet" value='<%=UrlUtil.htmlEncode(data.getScope())%>'> + <div id="scope" ><%=UrlUtil.htmlEncode(data.getScope())%></div> </td> </tr>
diff --git a/org.eclipse.help.webapp/advanced/searchView.jsp b/org.eclipse.help.webapp/advanced/searchView.jsp index 5ab85b4..10c323d 100644 --- a/org.eclipse.help.webapp/advanced/searchView.jsp +++ b/org.eclipse.help.webapp/advanced/searchView.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2006 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -39,7 +39,7 @@ function refresh() { - window.location.replace("searchView.jsp?<%=request.getQueryString()%>"); + window.location.replace("searchView.jsp?<%=UrlUtil.htmlEncode(request.getQueryString())%>"); } </script>
diff --git a/org.eclipse.help.webapp/advanced/tabs.jsp b/org.eclipse.help.webapp/advanced/tabs.jsp index 8592b38..c71ef14 100644 --- a/org.eclipse.help.webapp/advanced/tabs.jsp +++ b/org.eclipse.help.webapp/advanced/tabs.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2009 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -262,7 +262,7 @@ <% } %> - <td title="<%=title%>" + <td title="<%=UrlUtil.htmlEncode(title)%>" align="center" valign="middle" class="tab" @@ -276,8 +276,8 @@ onmouseout="window.status='';" id="link<%=views[i].getName()%>" <%=views[i].getKey()==View.NO_SHORTCUT?"":"ACCESSKEY=\""+views[i].getKey()+"\""%>> - <img alt="<%=title%>" - title="<%=title%>" + <img alt="<%=UrlUtil.htmlEncode(title)%>" + title="<%=UrlUtil.htmlEncode(title)%>" src="<%=views[i].getOnImage()%>" id="img<%=views[i].getName()%>" height="16"
diff --git a/org.eclipse.help.webapp/advanced/views.jsp b/org.eclipse.help.webapp/advanced/views.jsp index f9c3b17..64c35df 100644 --- a/org.eclipse.help.webapp/advanced/views.jsp +++ b/org.eclipse.help.webapp/advanced/views.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2006 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -208,7 +208,7 @@ name="<%=views[i].getName()%>" title="<%=ServletResources.getString("ignore", views[i].getName(), request)%>" id="<%=views[i].getName()%>" - src='<%="view.jsp?view="+views[i].getName()+(request.getQueryString()==null?"":("&"+request.getQueryString()))%>'> + src='<%="view.jsp?view="+views[i].getName()+(request.getQueryString()==null?"":("&"+UrlUtil.htmlEncode(request.getQueryString())))%>'> </iframe> <% }
diff --git a/org.eclipse.help.webapp/advanced/workingSet.jsp b/org.eclipse.help.webapp/advanced/workingSet.jsp index 2fdc77d..b5eee04 100644 --- a/org.eclipse.help.webapp/advanced/workingSet.jsp +++ b/org.eclipse.help.webapp/advanced/workingSet.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -129,7 +129,7 @@ var plus = new Image(); plus.src = "<%=prefs.getImagesDirectory()%>"+"/plus.gif"; -var oldName = '<%=data.isEditMode()?data.getWorkingSetName():""%>'; +var oldName = '<%=data.isEditMode()?UrlUtil.JavaScriptEncode(data.getWorkingSetName()):""%>'; var altBookClosed = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookClosed", request))%>"; var altBookOpen = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookOpen", request))%>"; @@ -169,7 +169,7 @@ if (!hrefs || hrefs == "") return false; - var query = "operation="+'<%=data.getOperation()%>'+"&workingSet="+encodeURIComponent(workingSet)+ hrefs+"&oldName="+encodeURIComponent(oldName); + var query = "operation="+'<%=UrlUtil.JavaScriptEncode(data.getOperation())%>'+"&workingSet="+encodeURIComponent(workingSet)+ hrefs+"&oldName="+encodeURIComponent(oldName); window.opener.location.replace("workingSetManager.jsp?"+query); window.opener.focus(); window.close(); @@ -349,7 +349,8 @@ <table id="wsTable" width="100%" cellspacing=0 cellpading=0 border=0 align=center > <tr><td style="padding:5px 10px 0px 10px;"><label for="workingSet" accesskey="<%=ServletResources.getAccessKey("WorkingSetName", request)%>"><%=ServletResources.getLabel("WorkingSetName", request)%>:</label> </td></tr> - <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet" value='<%=data.isEditMode()?data.getWorkingSetName():""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;"> + <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet" + value='<%=data.isEditMode()?UrlUtil.htmlEncode(data.getWorkingSetName()):""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;"> </td></tr> <tr><td><div id="selectBook" style="padding-top:5px; margin-<%=isRTL?"right":"left"%>:10px;"><%=ServletResources.getString("WorkingSetContent", request)%>:</div> </td></tr>
diff --git a/org.eclipse.help.webapp/advanced/workingSetManager.jsp b/org.eclipse.help.webapp/advanced/workingSetManager.jsp index cf6ecbc..a045496 100644 --- a/org.eclipse.help.webapp/advanced/workingSetManager.jsp +++ b/org.eclipse.help.webapp/advanced/workingSetManager.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2010 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -261,8 +261,8 @@ href='#' onclick="active=this;highlightHandler()" ondblclick="selectWorkingSet()" - title="<%=wsets[i]%>"> - <%=wsets[i]%> + title="<%=UrlUtil.htmlEncode(wsets[i])%>"> + <%=UrlUtil.htmlEncode(wsets[i])%> </a> </td> </tr>
diff --git a/org.eclipse.help.webapp/basic/advanced.inc b/org.eclipse.help.webapp/basic/advanced.inc index bcbddd6..91474ee 100644 --- a/org.eclipse.help.webapp/basic/advanced.inc +++ b/org.eclipse.help.webapp/basic/advanced.inc
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2004 IBM Corporation and others. + Copyright (c) 2000, 2009 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -18,7 +18,7 @@ </tr> <tr> <td nowrap> - <input type="text" name="searchWord" id="searchWord" value='<%=data.getSearchWord()%>' maxlength=256 alt='<%=ServletResources.getString("SearchExpression", request)%>' title='<%=ServletResources.getString("SearchExpression", request)%>'> + <input type="text" name="searchWord" id="searchWord" value='<%=UrlUtil.htmlEncode(data.getSearchWord())%>' maxlength=256 alt='<%=ServletResources.getString("SearchExpression", request)%>' title='<%=ServletResources.getString("SearchExpression", request)%>'> <input type="hidden" name="maxHits" value="500" > <input type="hidden" name="scopedSearch" value="true" > <input type="submit" value='<%=ServletResources.getString("GO", request)%>' alt='<%=ServletResources.getString("GO", request)%>' title='<%=ServletResources.getString("GO", request)%>'>
diff --git a/org.eclipse.help.webapp/basic/searchView.jsp b/org.eclipse.help.webapp/basic/searchView.jsp index b154f11..b31b69a 100644 --- a/org.eclipse.help.webapp/basic/searchView.jsp +++ b/org.eclipse.help.webapp/basic/searchView.jsp
@@ -1,5 +1,5 @@ <%-- - Copyright (c) 2000, 2006 IBM Corporation and others. + Copyright (c) 2000, 2009 IBM Corporation and others. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1.0 which accompanies this distribution, and is available at @@ -24,7 +24,7 @@ <% if (data.isProgressRequest()) { %> - <meta HTTP-EQUIV="REFRESH" CONTENT="2;URL=<%="searchView.jsp?"+request.getQueryString()%>"> + <meta HTTP-EQUIV="REFRESH" CONTENT="2;URL=<%="searchView.jsp?"+UrlUtil.htmlEncode(request.getQueryString())%>"> <% } %> @@ -83,9 +83,9 @@ <td align='<%=isRTL?"right":"left"%>' nowrap> <a <%=("a"+topic).equals(data.getSelectedTopicId())?" name=\"selectedItem\" ":""%> - href='<%=data.getTopicHref(topic)%>' - title="<%=data.getTopicTocLabel(topic)%>"> - <%=data.getTopicLabel(topic)%> + href='<%=UrlUtil.htmlEncode(data.getTopicHref(topic))%>' + title="<%=UrlUtil.htmlEncode(data.getTopicTocLabel(topic))%>"> + <%=UrlUtil.htmlEncode(data.getTopicLabel(topic))%> </a> </td> </tr>
diff --git a/org.eclipse.help.webapp/basic/tabs.jsp b/org.eclipse.help.webapp/basic/tabs.jsp index a6f364c..40fa415 100644 --- a/org.eclipse.help.webapp/basic/tabs.jsp +++ b/org.eclipse.help.webapp/basic/tabs.jsp
@@ -62,7 +62,7 @@ String viewHref="view.jsp?view="+views[i].getName(); // always pass query string to "links view" if("links".equals(views[i].getName())){ - viewHref=viewHref+(request.getQueryString()!=null?"&"+request.getQueryString():""); + viewHref=viewHref+(request.getQueryString()!=null?"&"+UrlUtil.htmlEncode(request.getQueryString()):""); } %>
diff --git a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java index fad14cc..826e70e 100644 --- a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java +++ b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java
@@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2006 IBM Corporation and others. + * Copyright (c) 2000, 2010 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 * which accompanies this distribution, and is available at @@ -22,9 +22,10 @@ public class UrlUtil { // XML escaped characters mapping - private static final String invalidXML[] = {"&", ">", "<", "\""}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + private static final String invalidXML[] = {"&", ">", "<", "\"", "'"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$ + // Note that we have to use ' instead of ' because ' does not work in all versions of IE private static final String escapedXML[] = { - "&", ">", "<", """}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + "&", ">", "<", """, "'"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$ // for Safari build 125.1 finds version 125 static final Pattern safariPatern = Pattern.compile(
diff --git a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java index 07a3755..b5c5ef2 100644 --- a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java +++ b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java
@@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2000, 2006 IBM Corporation and others. + * Copyright (c) 2000, 2010 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v1.0 * which accompanies this distribution, and is available at @@ -12,6 +12,7 @@ package org.eclipse.help.internal.webapp.servlet; import java.io.*; +import java.net.URLEncoder; import javax.servlet.http.*; @@ -30,6 +31,8 @@ */ public OutputStream filter(HttpServletRequest req, OutputStream out) { String uri = req.getRequestURI(); + String url = req.getPathInfo(); + if (uri == null || !uri.endsWith("html") && !uri.endsWith("htm")) { //$NON-NLS-1$ //$NON-NLS-2$ return out; } @@ -54,7 +57,16 @@ script.append("../"); //$NON-NLS-1$ } script.append("?topic="); //$NON-NLS-1$ - script.append(req.getPathInfo()); + + + // Sanitize the url + try{ + url = URLEncoder.encode(url, "UTF-8"); //$NON-NLS-1$ + script.append(url); + } catch (UnsupportedEncodingException uee){ + return out; + } + script.append(scriptPart3); try { return new FilterHTMLHeadOutputStream(out, script.toString()