Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Watson2010-11-01 13:46:25 -0400
committerThomas Watson2010-11-01 13:46:25 -0400
commit50bdbc2c18bd697082cfdb2f545981b471c9b0e6 (patch)
treeb3079b7092e246208748d2803db5d10b473ac9c1
parent31bac297d1a539cfe243981d10572ea3c1dcb2e3 (diff)
downloadrt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.tar.gz
rt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.tar.xz
rt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.zip
Bug 328975 - [Webapp] Possible security issue with JSP code exposure.R36x_v20110210
-rw-r--r--bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java86
-rw-r--r--bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java1
-rw-r--r--bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java47
4 files changed, 133 insertions, 3 deletions
diff --git a/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF b/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF
index 67a59c2fd..fda155968 100644
--- a/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: Core OSGi Tests
Bundle-SymbolicName: org.eclipse.osgi.tests;singleton:=true
-Bundle-Version: 3.6.0
+Bundle-Version: 3.6.2
Bundle-ClassPath: osgitests.jar
Bundle-Vendor: Eclipse.org
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java
new file mode 100644
index 000000000..8d844ecbb
--- /dev/null
+++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java
@@ -0,0 +1,86 @@
+/*******************************************************************************
+ * Copyright (c) 2010 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * IBM Corporation - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osgi.tests.bundles;
+
+import java.util.Enumeration;
+import junit.framework.Test;
+import junit.framework.TestSuite;
+import org.eclipse.core.tests.harness.CoreTest;
+import org.eclipse.osgi.tests.OSGiTestsActivator;
+import org.osgi.framework.*;
+
+public class BundleResourceTests extends CoreTest {
+ private BundleInstaller installer;
+
+ protected void setUp() throws Exception {
+ try {
+ installer = new BundleInstaller(OSGiTestsActivator.TEST_FILES_ROOT + "resourcetests/bundles", OSGiTestsActivator.getContext()); //$NON-NLS-1$
+ } catch (InvalidSyntaxException e) {
+ fail("Failed to create bundle installer", e); //$NON-NLS-1$
+ }
+ }
+
+ protected void tearDown() throws Exception {
+ installer.shutdown();
+ }
+
+ public static Test suite() {
+ return new TestSuite(BundleResourceTests.class);
+ }
+
+ public void testBug328795() throws BundleException {
+ Bundle bundle = installer.installBundle("test"); //$NON-NLS-1$
+ checkEntries(bundle, "notFound\\", 0); // this results in invalid syntax exception which is logged because of trailing escape
+ checkEntries(bundle, "notFound\\\\", 0); // test escaped escape "notFound\"
+ checkEntries(bundle, "notFound(", 0); // test unescaped trailing (
+ checkEntries(bundle, "notFound\\(", 0); // test escaped trailing (
+ checkEntries(bundle, "notFound)", 0); // test unescaped trailing )
+ checkEntries(bundle, "notFound\\)", 0); // test escaped trailing )
+ checkEntries(bundle, "notFound*", 0); // test trailing unescaped *
+ checkEntries(bundle, "notFound\\*", 0); // test trailing escaped *
+ checkEntries(bundle, "paren(.txt", 1); // test unescaped ( -> should find one
+ checkEntries(bundle, "paren\\(.txt", 1); // test escaped ( -> should find one
+ checkEntries(bundle, "paren\\\\(.txt", 0); // test escaped escape before unescaped ( -> should find none; looks for paren\(.txt file
+ checkEntries(bundle, "paren).txt", 1); // test unescaped ) -> should find one
+ checkEntries(bundle, "paren\\).txt", 1); // test escaped ) -> should find one
+ checkEntries(bundle, "paren\\\\).txt", 0); // test escaped escape before unescaped ) -> should find none; looks for paren\).txt file
+ checkEntries(bundle, "paren(", 1); // test unescaped trailing ( -> should find one
+ checkEntries(bundle, "paren\\(", 1); // test escaped trailing ( -> should find one
+ checkEntries(bundle, "paren\\\\(", 0); // test escaped escape before ( -> should find none; looks for paren\(
+ checkEntries(bundle, "paren)", 1); // test unescaped trailing ( -> should find one
+ checkEntries(bundle, "paren\\)", 1); // test escaped trailing ( -> should find one
+ checkEntries(bundle, "paren\\\\)", 0); // test escaped escape before ) -> should find none; looks for paren\)
+ checkEntries(bundle, "paren*", 4); // test trailing wild cards
+ checkEntries(bundle, "paren*.txt", 2); // test middle wild cards
+ checkEntries(bundle, "paren\\*", 0); // test escaped wild card -> should find none; looks for paren*
+ checkEntries(bundle, "paren\\\\*", 0); // test escaped escape before wild card -> should find none; looks for paren\*
+ checkEntries(bundle, "p*r*n*", 4); // test multiple wild cards
+ checkEntries(bundle, "p*r*n*.txt", 2); // test multiple wild cards
+ checkEntries(bundle, "*)*", 2);
+ checkEntries(bundle, "*(*", 2);
+ checkEntries(bundle, "*\\)*", 2);
+ checkEntries(bundle, "*\\(*", 2);
+ }
+
+ private void checkEntries(Bundle bundle, String filePattern, int expectedNumber) {
+ Enumeration entries = bundle.findEntries("folder", filePattern, false);
+ if (expectedNumber == 0) {
+ assertNull("Expected nothing here.", entries);
+ return;
+ }
+ int i = 0;
+ while (entries.hasMoreElements()) {
+ entries.nextElement();
+ i++;
+ }
+ assertEquals("Unexpected number of entries", expectedNumber, i);
+ }
+}
diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java
index e0bb723d5..ad452ef3b 100644
--- a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java
+++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java
@@ -16,6 +16,7 @@ import junit.framework.TestSuite;
public class BundleTests {
public static Test suite() {
TestSuite suite = new TestSuite(BundleTests.class.getName());
+ suite.addTest(BundleResourceTests.suite());
suite.addTest(BundleInstallUpdateTests.suite());
suite.addTest(SystemBundleTests.suite());
suite.addTest(BundleExceptionTests.suite());
diff --git a/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java b/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java
index 1e10d791e..4e3397285 100644
--- a/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java
+++ b/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java
@@ -1383,11 +1383,14 @@ public abstract class AbstractBundle implements Bundle, Comparable, KeyedElement
if (filePattern != null)
try {
// create a file pattern filter with 'filename' as the key
- patternFilter = FilterImpl.newInstance("(filename=" + filePattern + ")"); //$NON-NLS-1$ //$NON-NLS-2$
+ patternFilter = FilterImpl.newInstance("(filename=" + sanitizeFilterInput(filePattern) + ")"); //$NON-NLS-1$ //$NON-NLS-2$
// create a single hashtable to be shared during the recursive search
patternProps = new Hashtable(2);
} catch (InvalidSyntaxException e) {
- // cannot happen
+ // something unexpected happened; log error and return nothing
+ Bundle b = framework.systemBundle;
+ framework.publishFrameworkEvent(FrameworkEvent.ERROR, b, e);
+ return null;
}
// find the local entries of this bundle
findLocalEntryPaths(path, patternFilter, patternProps, recurse, pathList);
@@ -1450,6 +1453,46 @@ public abstract class AbstractBundle implements Bundle, Comparable, KeyedElement
};
}
+ private String sanitizeFilterInput(String filePattern) throws InvalidSyntaxException {
+ StringBuffer buffer = null;
+ boolean foundEscape = false;
+ for (int i = 0; i < filePattern.length(); i++) {
+ char c = filePattern.charAt(i);
+ switch (c) {
+ case '\\' :
+ // we either used the escape found or found a new escape.
+ foundEscape = foundEscape ? false : true;
+ if (buffer != null)
+ buffer.append(c);
+ break;
+ case '(' :
+ case ')' :
+ if (!foundEscape) {
+ if (buffer == null) {
+ buffer = new StringBuffer(filePattern.length() + 16);
+ buffer.append(filePattern.substring(0, i));
+ }
+ // must escape with '\'
+ buffer.append('\\');
+ } else {
+ foundEscape = false; // used the escape found
+ }
+ if (buffer != null)
+ buffer.append(c);
+ break;
+ default :
+ // if we found an escape it has been used
+ foundEscape = false;
+ if (buffer != null)
+ buffer.append(c);
+ break;
+ }
+ }
+ if (foundEscape)
+ throw new InvalidSyntaxException("Trailing escape characters must be escaped.", filePattern); //$NON-NLS-1$
+ return buffer == null ? filePattern : buffer.toString();
+ }
+
protected void findLocalEntryPaths(String path, Filter patternFilter, Hashtable patternProps, boolean recurse, List pathList) {
Enumeration entryPaths = bundledata.getEntryPaths(path);
if (entryPaths == null)

Back to the top