Open glassfishrobot opened 12 years ago
Reported by hme
hme said: Sorry this is wrong, because of an other bug or strange code it is not possible to provide a helpset with an URL other than the URL from the request. An attacker has to change the request URL to something he controls.
In createHelpSet() in javax.help.tagext.ValidateTag at first there is this check:
if (!hsName.startsWith("/")) {
hsName = "/" + hsName;
}
This adds an "/" at the beginning if there is non, so this if is never true:
if (hsName.startsWith("http")) {
url = new URL (hsName);
} else {
url = new URL(request.getScheme(),
request.getServerName(),
request.getServerPort(),
hsName);
}
This issue was imported from java.net JIRA JAVAHELP-36
javax.help.tagext.ValidateTag allows to provide the url to the hsName by a reqeust parameter, if no hsName is provided in the code an attacker could provide a link to some helpSet he controls and load it into any website. The request parameter helpset has to be validated before using it.