diff options
author | Mickael Istria | 2021-10-05 15:35:18 +0000 |
---|---|---|
committer | Mickael Istria | 2021-10-06 12:29:06 +0000 |
commit | 6dde74440392ceaedef52216f3c4483b607699bf (patch) | |
tree | d2e7f4bc0e3e4d6e0c9dc281b4a4c71bdf60ad47 | |
parent | de26c6fb23d6861afde0c0026d6f8ddec2bb421c (diff) | |
download | rt.equinox.p2-I20211007-0350.tar.gz rt.equinox.p2-I20211007-0350.tar.xz rt.equinox.p2-I20211007-0350.zip |
Bug 576428 - Log warning repo uses unsafe (eg http) protocolI20211007-0350I20211006-1800
Change-Id: Ibbdd4e8e3905458c2414c8250ce7f473c7a185c7
Reviewed-on: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/186159
Tested-by: Equinox Bot <equinox-bot@eclipse.org>
Reviewed-by: Mickael Istria <mistria@redhat.com>
5 files changed, 19 insertions, 10 deletions
diff --git a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF index 173ef5315..ce71e8628 100644 --- a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.repository;singleton:=true -Bundle-Version: 2.5.200.qualifier +Bundle-Version: 2.5.300.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.repository.Activator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.repository/pom.xml b/bundles/org.eclipse.equinox.p2.repository/pom.xml index c3d2e5597..bc860f788 100644 --- a/bundles/org.eclipse.equinox.p2.repository/pom.xml +++ b/bundles/org.eclipse.equinox.p2.repository/pom.xml @@ -9,6 +9,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.repository</artifactId> - <version>2.5.200-SNAPSHOT</version> + <version>2.5.300-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/CacheManager.java b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/CacheManager.java index 5b5b1cfe6..aeda92105 100644 --- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/CacheManager.java +++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/CacheManager.java @@ -33,7 +33,7 @@ import org.eclipse.osgi.util.NLS; /** * A class to manage metadata cache files. Creating the cache files will place * the file in the AgentData location in a cache directory. - * + * * Using the bus listeners will allow the manager to listen for repository * events. When a repository is removed, it will remove the cache file if one * was created for the repository. @@ -95,6 +95,7 @@ public class CacheManager { if (!isURL(remoteFile)) { throw new ProvisionException(new Status(IStatus.ERROR, Activator.ID, ProvisionException.REPOSITORY_NOT_FOUND, NLS.bind(Messages.CacheManager_CannotLoadNonUrlLocation, remoteFile), null)); } + checkLocationIsSecure(remoteFile); SubMonitor submonitor = SubMonitor.convert(monitor, 1000); try { @@ -145,13 +146,13 @@ public class CacheManager { /** * Returns a local cache file with the contents of the given remote location, * or <code>null</code> if a local cache could not be created. - * + * * @param repositoryLocation The remote location to be cached * @param prefix The prefix to use when creating the cache file * @param monitor a progress monitor * @return A {@link File} object pointing to the cache file or <code>null</code> * if the location is not a repository. - * @throws FileNotFoundException if neither jar nor xml index file exists at given location + * @throws FileNotFoundException if neither jar nor xml index file exists at given location * @throws AuthenticationFailedException if jar not available and xml causes authentication fail * @throws IOException on general IO errors * @throws ProvisionException on any error (e.g. user cancellation, unknown host, malformed address, connection refused, etc.) @@ -161,7 +162,7 @@ public class CacheManager { if (!isURL(repositoryLocation)) { throw new ProvisionException(new Status(IStatus.ERROR, Activator.ID, ProvisionException.REPOSITORY_NOT_FOUND, NLS.bind(Messages.CacheManager_CannotLoadNonUrlLocation, repositoryLocation), null)); } - + checkLocationIsSecure(repositoryLocation); SubMonitor submonitor = SubMonitor.convert(monitor, 1000); try { knownPrefixes.add(prefix); @@ -170,7 +171,7 @@ public class CacheManager { URI xmlLocation = URIUtil.append(repositoryLocation, prefix + XML_EXTENSION); int hashCode = computeHash(repositoryLocation); - // Knowing if cache is stale is complicated by the fact that a jar could have been + // Knowing if cache is stale is complicated by the fact that a jar could have been // produced after an xml index (and vice versa), and by the need to capture any // errors, as these needs to be reported to the user as something meaningful - instead of // just a general "can't read repository". @@ -228,7 +229,7 @@ public class CacheManager { // when checking for the jar may not be correct). try { lastModifiedRemote = getLastModified(xmlLocation, submonitor.newChild(1)); - // if lastModifiedRemote is 0 - something is wrong in the communication stack, as + // if lastModifiedRemote is 0 - something is wrong in the communication stack, as // a FileNotFound exception should have been thrown. // bug 269588 - server may return 0 when file exists - site is not correctly configured if (lastModifiedRemote <= 0) @@ -268,6 +269,12 @@ public class CacheManager { } } + private void checkLocationIsSecure(URI repositoryLocation) { + if ("http".equals(repositoryLocation.getScheme())) { //$NON-NLS-1$ + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, NLS.bind(Messages.unsafeHttp, repositoryLocation))); + } + } + private long getLastModified(URI location, IProgressMonitor monitor) throws AuthenticationFailedException, FileNotFoundException, CoreException { CoreException exception = null; long lastModifiedRemote = -1L; @@ -405,7 +412,7 @@ public class CacheManager { if (!downloadDir.exists()) downloadDir.mkdir(); File tempFile = new File(downloadDir, cacheFile.getName()); - // Ensure that the file from a previous download attempt is removed + // Ensure that the file from a previous download attempt is removed if (tempFile.exists()) safeDelete(tempFile); diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/Messages.java b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/Messages.java index cd508f561..cd53a09b0 100644 --- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/Messages.java +++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/Messages.java @@ -7,7 +7,7 @@ * https://www.eclipse.org/legal/epl-2.0/ * * SPDX-License-Identifier: EPL-2.0 - * + * * Contributors: * IBM Corporation - initial API and implementation * Cloudsmith Inc - additional messages @@ -89,6 +89,7 @@ public class Messages extends NLS { public static String UnableToRead_0_UserCanceled; public static String RepositoryTransport_failedReadRepo; + public static String unsafeHttp; static { // initialize resource bundles diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/messages.properties b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/messages.properties index 8c920be73..a2b8daa56 100644 --- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/messages.properties +++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/repository/messages.properties @@ -80,3 +80,4 @@ connection_to_0_failed_on_1_retry_attempt_2=Connection to {0} failed on {1}. Ret UnableToRead_0_TooManyAttempts=Unable to read repository at: {0}. Too many failed login attempts. UnableToRead_0_UserCanceled=Unable to read repository at: {0}. Login canceled by user. RepositoryTransport_failedReadRepo=Error while reading from repository: {0}. +unsafeHttp=Using unsafe http transport to retrieve {0}, see CVE-2021-41033. Consider using https instead.
\ No newline at end of file |