File eclipse-CVE-2020-27225.patch of Package eclipse.32874

From 213812355860e3732e1b28e620df31db8ff160aa Mon Sep 17 00:00:00 2001
From: Andrew Johnson
Date: Mon, 15 Mar 2021 20:53:01 +0530
Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to
 R4_15_maintenance branch

Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
@@ -59,6 +59,7 @@ public final class BaseHelpSystem {
 	private IBrowser browser;
 	private IBrowser internalBrowser;
 	private HelpDisplay helpDisplay = null;
+	private String liveHelpToken = null;
 
 	private BaseHelpSystem() {
 		super();
@@ -350,4 +351,29 @@ public final class BaseHelpSystem {
 		}
 	}
 
+	/**
+ 	 * Check supplied token against stored token. Clears the stored token if
+ 	 * successful.
+ 	 * 
+ 	 * @param helpSessionToken
+ 	 * @return true if match successful
+ 	 */
+ 	public boolean matchOnceLiveHelpToken(String helpSessionToken) {
+ 		/*
+ 		 * @FIXME - should we use a constant time comparison, and store/compare a
+ 		 * cryptographic hash?
+ 		 */
+ 		if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) {
+ 			// Enforce one-time use.
+ 			liveHelpToken = null;
+ 			return true;
+ 		} else {
+ 			return false;
+ 		}
+ 	}
+ 
+ 	public void setLiveHelpToken(String helpSessionToken) {
+ 		liveHelpToken = helpSessionToken;
+ 	}
+
 }
Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
@@ -15,6 +15,8 @@ package org.eclipse.help.internal.base;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.UUID;
 
 import org.eclipse.core.runtime.CoreException;
 import org.eclipse.core.runtime.IConfigurationElement;
@@ -196,6 +198,12 @@ public class HelpDisplay {
 				String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$
 				helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(),  WebappManager.getPort());
 			}
+			String basehelp = getBaseURL();
+			if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) {
+				String sessid = UUID.randomUUID().toString();
+				BaseHelpSystem.getInstance().setLiveHelpToken(sessid);
+				helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$
+			}
 
 			BaseHelpSystem.getHelpBrowser(forceExternal)
 						.displayURL(helpURL);
Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
@@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindo
 	url=url.substring(0, i+1);
 	var encodedArg=encodeURIComponent(argument);
 	url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random();
-
+    <%
+    Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$
+    // Validate token to protect against XSS
+    if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) {
+    %>
+    url=url+"&token=<%=token%>";
+    <%
+    }
+    %>
 	// we need to find the toolbar frame.
 	// to do: cleanup this, including the location of the hidden livehelp frame.	
 	var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame;
Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
@@ -12,9 +12,11 @@
      IBM Corporation - initial API and implementation
 --%>
 <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%>
+<%@ page import="java.util.UUID" %>
+<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %>
 <%
 	request.setCharacterEncoding("UTF-8");
-	ServerState.webappStarted(application,request, response);	
+	ServerState.webappStarted(application,request, response);
 	// Read the scope parameter
 	RequestScope.setScopeFromRequest(request, response);
 	LayoutData data = new LayoutData(application,request, response);
@@ -33,7 +35,22 @@
 </body>
 </html>	
 <%
-	}else {
+	} else {
+	    // For live help
+        String token = request.getParameter("token"); //$NON-NLS-1$
+        if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$
+            if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) {
+                // Only one session can grab this
+                if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$
+                    String token2 = UUID.randomUUID().toString();
+                    request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$
+                    int port = request.getLocalPort();
+                    response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1 //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
+                    String token3 = UUID.randomUUID().toString();
+                    request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$
+                }
+            }
+        }
 		request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response);
 	}
 %>
Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
@@ -46,6 +46,11 @@ public class LayoutData extends RequestD
 
 		// initialize the query string
 		String qs = request.getQueryString();
+		// Remove any live help token
+        if (qs != null) {
+            qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$
+            qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$
+        }
 		if (qs != null && qs.length() > 0)
 			query = "?" + qs; //$NON-NLS-1$
 	}
Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
===================================================================
--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
+++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
@@ -14,8 +14,8 @@
 package org.eclipse.help.internal.webapp.servlet;
 
 import java.io.IOException;
-
 import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -51,6 +51,45 @@ public class LiveHelpServlet extends Htt
 			return;
 		}
 		req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$
+		String sessionid = req.getSession().getId();
+ 		Cookie cookies[] = req.getCookies();
+ 		boolean jsessOK = false;
+ 		boolean xsessOK = false;
+ 		boolean lsessOK = false;
+ 		// Unique session ID per help server
+ 		int port = req.getLocalPort();
+ 		String xsessname = "XSESSION-" + port; //$NON-NLS-1$
+ 		if (cookies != null) {
+ 			for (Cookie cookie : cookies) {
+ 				if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$
+ 					if (sessionid.length() >= 30 &&
+ 							cookie.getValue().startsWith(sessionid)) {
+ 						jsessOK = true;
+ 					}
+ 				}
+ 				if (cookie.getName().equals(xsessname)) {
+ 					if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$
+ 						xsessOK = true;
+ 					}
+ 				}
+ 			}
+ 		}
+ 		String token = req.getParameter("token"); //$NON-NLS-1$
+ 		if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$
+ 			lsessOK = true;
+ 		}
+ 		if (!jsessOK) {
+ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$
+ 			return;
+ 		}
+ 		if (!lsessOK) {
+ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$
+ 			return;
+ 		}
+ 		if (!xsessOK) {
+ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname);
+ 			return;
+ 		}
 		String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$
 		if (pluginID == null)
 			return;
@@ -59,6 +98,11 @@ public class LiveHelpServlet extends Htt
 			return;
 		String arg = req.getParameter("arg"); //$NON-NLS-1$
 		BaseHelpSystem.runLiveHelp(pluginID, className, arg);
+		/*
+ 		 * @FIXME Should runLiveHelp return an error if the plugin/class is wrong
+ 		 * so a SC_BAD_REQUEST can be returned? Or does this reveal too much?
+ 		 */
+ 		resp.setStatus(HttpServletResponse.SC_ACCEPTED);
 	}
 	/**
 	 *
openSUSE Build Service is sponsored by