diff options
author | Thomas Watson | 2010-11-01 17:46:25 +0000 |
---|---|---|
committer | Thomas Watson | 2010-11-01 17:46:25 +0000 |
commit | 50bdbc2c18bd697082cfdb2f545981b471c9b0e6 (patch) | |
tree | b3079b7092e246208748d2803db5d10b473ac9c1 /bundles | |
parent | 31bac297d1a539cfe243981d10572ea3c1dcb2e3 (diff) | |
download | rt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.tar.gz rt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.tar.xz rt.equinox.framework-50bdbc2c18bd697082cfdb2f545981b471c9b0e6.zip |
Bug 328975 - [Webapp] Possible security issue with JSP code exposure.R36x_v20110210
Diffstat (limited to 'bundles')
4 files changed, 133 insertions, 3 deletions
diff --git a/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF b/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF index 67a59c2fd..fda155968 100644 --- a/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.osgi.tests/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: Core OSGi Tests Bundle-SymbolicName: org.eclipse.osgi.tests;singleton:=true -Bundle-Version: 3.6.0 +Bundle-Version: 3.6.2 Bundle-ClassPath: osgitests.jar Bundle-Vendor: Eclipse.org Bundle-Localization: plugin diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java new file mode 100644 index 000000000..8d844ecbb --- /dev/null +++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java @@ -0,0 +1,86 @@ +/******************************************************************************* + * Copyright (c) 2010 IBM Corporation and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * Contributors: + * IBM Corporation - initial API and implementation + *******************************************************************************/ +package org.eclipse.osgi.tests.bundles; + +import java.util.Enumeration; +import junit.framework.Test; +import junit.framework.TestSuite; +import org.eclipse.core.tests.harness.CoreTest; +import org.eclipse.osgi.tests.OSGiTestsActivator; +import org.osgi.framework.*; + +public class BundleResourceTests extends CoreTest { + private BundleInstaller installer; + + protected void setUp() throws Exception { + try { + installer = new BundleInstaller(OSGiTestsActivator.TEST_FILES_ROOT + "resourcetests/bundles", OSGiTestsActivator.getContext()); //$NON-NLS-1$ + } catch (InvalidSyntaxException e) { + fail("Failed to create bundle installer", e); //$NON-NLS-1$ + } + } + + protected void tearDown() throws Exception { + installer.shutdown(); + } + + public static Test suite() { + return new TestSuite(BundleResourceTests.class); + } + + public void testBug328795() throws BundleException { + Bundle bundle = installer.installBundle("test"); //$NON-NLS-1$ + checkEntries(bundle, "notFound\\", 0); // this results in invalid syntax exception which is logged because of trailing escape + checkEntries(bundle, "notFound\\\\", 0); // test escaped escape "notFound\" + checkEntries(bundle, "notFound(", 0); // test unescaped trailing ( + checkEntries(bundle, "notFound\\(", 0); // test escaped trailing ( + checkEntries(bundle, "notFound)", 0); // test unescaped trailing ) + checkEntries(bundle, "notFound\\)", 0); // test escaped trailing ) + checkEntries(bundle, "notFound*", 0); // test trailing unescaped * + checkEntries(bundle, "notFound\\*", 0); // test trailing escaped * + checkEntries(bundle, "paren(.txt", 1); // test unescaped ( -> should find one + checkEntries(bundle, "paren\\(.txt", 1); // test escaped ( -> should find one + checkEntries(bundle, "paren\\\\(.txt", 0); // test escaped escape before unescaped ( -> should find none; looks for paren\(.txt file + checkEntries(bundle, "paren).txt", 1); // test unescaped ) -> should find one + checkEntries(bundle, "paren\\).txt", 1); // test escaped ) -> should find one + checkEntries(bundle, "paren\\\\).txt", 0); // test escaped escape before unescaped ) -> should find none; looks for paren\).txt file + checkEntries(bundle, "paren(", 1); // test unescaped trailing ( -> should find one + checkEntries(bundle, "paren\\(", 1); // test escaped trailing ( -> should find one + checkEntries(bundle, "paren\\\\(", 0); // test escaped escape before ( -> should find none; looks for paren\( + checkEntries(bundle, "paren)", 1); // test unescaped trailing ( -> should find one + checkEntries(bundle, "paren\\)", 1); // test escaped trailing ( -> should find one + checkEntries(bundle, "paren\\\\)", 0); // test escaped escape before ) -> should find none; looks for paren\) + checkEntries(bundle, "paren*", 4); // test trailing wild cards + checkEntries(bundle, "paren*.txt", 2); // test middle wild cards + checkEntries(bundle, "paren\\*", 0); // test escaped wild card -> should find none; looks for paren* + checkEntries(bundle, "paren\\\\*", 0); // test escaped escape before wild card -> should find none; looks for paren\* + checkEntries(bundle, "p*r*n*", 4); // test multiple wild cards + checkEntries(bundle, "p*r*n*.txt", 2); // test multiple wild cards + checkEntries(bundle, "*)*", 2); + checkEntries(bundle, "*(*", 2); + checkEntries(bundle, "*\\)*", 2); + checkEntries(bundle, "*\\(*", 2); + } + + private void checkEntries(Bundle bundle, String filePattern, int expectedNumber) { + Enumeration entries = bundle.findEntries("folder", filePattern, false); + if (expectedNumber == 0) { + assertNull("Expected nothing here.", entries); + return; + } + int i = 0; + while (entries.hasMoreElements()) { + entries.nextElement(); + i++; + } + assertEquals("Unexpected number of entries", expectedNumber, i); + } +} diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java index e0bb723d5..ad452ef3b 100644 --- a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java +++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleTests.java @@ -16,6 +16,7 @@ import junit.framework.TestSuite; public class BundleTests { public static Test suite() { TestSuite suite = new TestSuite(BundleTests.class.getName()); + suite.addTest(BundleResourceTests.suite()); suite.addTest(BundleInstallUpdateTests.suite()); suite.addTest(SystemBundleTests.suite()); suite.addTest(BundleExceptionTests.suite()); diff --git a/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java b/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java index 1e10d791e..4e3397285 100644 --- a/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java +++ b/bundles/org.eclipse.osgi/core/framework/org/eclipse/osgi/framework/internal/core/AbstractBundle.java @@ -1383,11 +1383,14 @@ public abstract class AbstractBundle implements Bundle, Comparable, KeyedElement if (filePattern != null) try { // create a file pattern filter with 'filename' as the key - patternFilter = FilterImpl.newInstance("(filename=" + filePattern + ")"); //$NON-NLS-1$ //$NON-NLS-2$ + patternFilter = FilterImpl.newInstance("(filename=" + sanitizeFilterInput(filePattern) + ")"); //$NON-NLS-1$ //$NON-NLS-2$ // create a single hashtable to be shared during the recursive search patternProps = new Hashtable(2); } catch (InvalidSyntaxException e) { - // cannot happen + // something unexpected happened; log error and return nothing + Bundle b = framework.systemBundle; + framework.publishFrameworkEvent(FrameworkEvent.ERROR, b, e); + return null; } // find the local entries of this bundle findLocalEntryPaths(path, patternFilter, patternProps, recurse, pathList); @@ -1450,6 +1453,46 @@ public abstract class AbstractBundle implements Bundle, Comparable, KeyedElement }; } + private String sanitizeFilterInput(String filePattern) throws InvalidSyntaxException { + StringBuffer buffer = null; + boolean foundEscape = false; + for (int i = 0; i < filePattern.length(); i++) { + char c = filePattern.charAt(i); + switch (c) { + case '\\' : + // we either used the escape found or found a new escape. + foundEscape = foundEscape ? false : true; + if (buffer != null) + buffer.append(c); + break; + case '(' : + case ')' : + if (!foundEscape) { + if (buffer == null) { + buffer = new StringBuffer(filePattern.length() + 16); + buffer.append(filePattern.substring(0, i)); + } + // must escape with '\' + buffer.append('\\'); + } else { + foundEscape = false; // used the escape found + } + if (buffer != null) + buffer.append(c); + break; + default : + // if we found an escape it has been used + foundEscape = false; + if (buffer != null) + buffer.append(c); + break; + } + } + if (foundEscape) + throw new InvalidSyntaxException("Trailing escape characters must be escaped.", filePattern); //$NON-NLS-1$ + return buffer == null ? filePattern : buffer.toString(); + } + protected void findLocalEntryPaths(String path, Filter patternFilter, Hashtable patternProps, boolean recurse, List pathList) { Enumeration entryPaths = bundledata.getEntryPaths(path); if (entryPaths == null) |