From 96034c8a16cb15f8a0ed540ce1f61c7da1f4314d Mon Sep 17 00:00:00 2001
From: fstrba <>
Date: Mar 19 2021 15:55:40 +0000
Subject: Update eclipse to version 4.15 / rev 14 via SR 880010


https://build.opensuse.org/request/show/880010
by user fstrba + RBrownSUSE

---

diff --git a/.files b/.files
index 083ce48..7489065 100644
Binary files a/.files and b/.files differ
diff --git a/.rev b/.rev
index 21298b3..aee8a91 100644
--- a/.rev
+++ b/.rev
@@ -103,4 +103,12 @@
     <comment>Fix use of native keystore on platforms where it is supported</comment>
     <requestid>821377</requestid>
   </revision>
+  <revision rev="14" vrev="3">
+    <srcmd5>498549cf61a63cd311d3eff6ae5054b1</srcmd5>
+    <version>4.15</version>
+    <time>1616168594</time>
+    <user>RBrownSUSE</user>
+    <comment></comment>
+    <requestid>880010</requestid>
+  </revision>
 </revisionlist>
diff --git a/eclipse-CVE-2020-27225.patch b/eclipse-CVE-2020-27225.patch
new file mode 100644
index 0000000..fe17dda
--- /dev/null
+++ b/eclipse-CVE-2020-27225.patch
@@ -0,0 +1,224 @@
+From 213812355860e3732e1b28e620df31db8ff160aa Mon Sep 17 00:00:00 2001
+From: Andrew Johnson
+Date: Mon, 15 Mar 2021 20:53:01 +0530
+Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to
+ R4_15_maintenance branch
+
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java
+@@ -59,6 +59,7 @@ public final class BaseHelpSystem {
+ 	private IBrowser browser;
+ 	private IBrowser internalBrowser;
+ 	private HelpDisplay helpDisplay = null;
++	private String liveHelpToken = null;
+ 
+ 	private BaseHelpSystem() {
+ 		super();
+@@ -350,4 +351,29 @@ public final class BaseHelpSystem {
+ 		}
+ 	}
+ 
++	/**
++ 	 * Check supplied token against stored token. Clears the stored token if
++ 	 * successful.
++ 	 * 
++ 	 * @param helpSessionToken
++ 	 * @return true if match successful
++ 	 */
++ 	public boolean matchOnceLiveHelpToken(String helpSessionToken) {
++ 		/*
++ 		 * @FIXME - should we use a constant time comparison, and store/compare a
++ 		 * cryptographic hash?
++ 		 */
++ 		if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) {
++ 			// Enforce one-time use.
++ 			liveHelpToken = null;
++ 			return true;
++ 		} else {
++ 			return false;
++ 		}
++ 	}
++ 
++ 	public void setLiveHelpToken(String helpSessionToken) {
++ 		liveHelpToken = helpSessionToken;
++ 	}
++
+ }
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java
+@@ -15,6 +15,8 @@ package org.eclipse.help.internal.base;
+ 
+ import java.io.UnsupportedEncodingException;
+ import java.net.URLEncoder;
++import java.nio.charset.StandardCharsets;
++import java.util.UUID;
+ 
+ import org.eclipse.core.runtime.CoreException;
+ import org.eclipse.core.runtime.IConfigurationElement;
+@@ -196,6 +198,12 @@ public class HelpDisplay {
+ 				String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$
+ 				helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(),  WebappManager.getPort());
+ 			}
++			String basehelp = getBaseURL();
++			if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) {
++				String sessid = UUID.randomUUID().toString();
++				BaseHelpSystem.getInstance().setLiveHelpToken(sessid);
++				helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$
++			}
+ 
+ 			BaseHelpSystem.getHelpBrowser(forceExternal)
+ 						.displayURL(helpURL);
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp
+@@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindo
+ 	url=url.substring(0, i+1);
+ 	var encodedArg=encodeURIComponent(argument);
+ 	url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random();
+-
++    <%
++    Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$
++    // Validate token to protect against XSS
++    if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) {
++    %>
++    url=url+"&token=<%=token%>";
++    <%
++    }
++    %>
+ 	// we need to find the toolbar frame.
+ 	// to do: cleanup this, including the location of the hidden livehelp frame.	
+ 	var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame;
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp
+@@ -12,9 +12,11 @@
+      IBM Corporation - initial API and implementation
+ --%>
+ <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%>
++<%@ page import="java.util.UUID" %>
++<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %>
+ <%
+ 	request.setCharacterEncoding("UTF-8");
+-	ServerState.webappStarted(application,request, response);	
++	ServerState.webappStarted(application,request, response);
+ 	// Read the scope parameter
+ 	RequestScope.setScopeFromRequest(request, response);
+ 	LayoutData data = new LayoutData(application,request, response);
+@@ -33,7 +35,22 @@
+ </body>
+ </html>	
+ <%
+-	}else {
++	} else {
++	    // For live help
++        String token = request.getParameter("token"); //$NON-NLS-1$
++        if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$
++            if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) {
++                // Only one session can grab this
++                if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$
++                    String token2 = UUID.randomUUID().toString();
++                    request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$
++                    int port = request.getLocalPort();
++                    response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1 //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
++                    String token3 = UUID.randomUUID().toString();
++                    request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$
++                }
++            }
++        }
+ 		request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response);
+ 	}
+ %>
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java
+@@ -46,6 +46,11 @@ public class LayoutData extends RequestD
+ 
+ 		// initialize the query string
+ 		String qs = request.getQueryString();
++		// Remove any live help token
++        if (qs != null) {
++            qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$
++            qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$
++        }
+ 		if (qs != null && qs.length() > 0)
+ 			query = "?" + qs; //$NON-NLS-1$
+ 	}
+Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
+===================================================================
+--- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
++++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java
+@@ -14,8 +14,8 @@
+ package org.eclipse.help.internal.webapp.servlet;
+ 
+ import java.io.IOException;
+-
+ import javax.servlet.ServletException;
++import javax.servlet.http.Cookie;
+ import javax.servlet.http.HttpServlet;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+@@ -51,6 +51,45 @@ public class LiveHelpServlet extends Htt
+ 			return;
+ 		}
+ 		req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$
++		String sessionid = req.getSession().getId();
++ 		Cookie cookies[] = req.getCookies();
++ 		boolean jsessOK = false;
++ 		boolean xsessOK = false;
++ 		boolean lsessOK = false;
++ 		// Unique session ID per help server
++ 		int port = req.getLocalPort();
++ 		String xsessname = "XSESSION-" + port; //$NON-NLS-1$
++ 		if (cookies != null) {
++ 			for (Cookie cookie : cookies) {
++ 				if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$
++ 					if (sessionid.length() >= 30 &&
++ 							cookie.getValue().startsWith(sessionid)) {
++ 						jsessOK = true;
++ 					}
++ 				}
++ 				if (cookie.getName().equals(xsessname)) {
++ 					if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$
++ 						xsessOK = true;
++ 					}
++ 				}
++ 			}
++ 		}
++ 		String token = req.getParameter("token"); //$NON-NLS-1$
++ 		if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$
++ 			lsessOK = true;
++ 		}
++ 		if (!jsessOK) {
++ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$
++ 			return;
++ 		}
++ 		if (!lsessOK) {
++ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$
++ 			return;
++ 		}
++ 		if (!xsessOK) {
++ 			resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname);
++ 			return;
++ 		}
+ 		String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$
+ 		if (pluginID == null)
+ 			return;
+@@ -59,6 +98,11 @@ public class LiveHelpServlet extends Htt
+ 			return;
+ 		String arg = req.getParameter("arg"); //$NON-NLS-1$
+ 		BaseHelpSystem.runLiveHelp(pluginID, className, arg);
++		/*
++ 		 * @FIXME Should runLiveHelp return an error if the plugin/class is wrong
++ 		 * so a SC_BAD_REQUEST can be returned? Or does this reveal too much?
++ 		 */
++ 		resp.setStatus(HttpServletResponse.SC_ACCEPTED);
+ 	}
+ 	/**
+ 	 *
diff --git a/eclipse.changes b/eclipse.changes
index 6f8f1df..5cb59e7 100644
--- a/eclipse.changes
+++ b/eclipse.changes
@@ -1,4 +1,14 @@
 -------------------------------------------------------------------
+Thu Mar 18 17:38:41 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1183728, CVE-2020-27225]
+  * The Help Subsystem does not authenticate active help requests
+    to the local help web server, allowing an unauthenticated local
+    attacker to issue active help commands to the associated Eclipse
+    Platform process or Eclipse Rich Client Platform process.
+- Add eclipse-CVE-2020-27225.patch
+
+-------------------------------------------------------------------
 Thu Jul 16 23:57:01 UTC 2020 - Fridrich Strba <fstrba@suse.com>
 
 - Added patch:
diff --git a/eclipse.spec b/eclipse.spec
index 0d18075..bab94a2 100644
--- a/eclipse.spec
+++ b/eclipse.spec
@@ -1,7 +1,7 @@
 #
-# spec file for package eclipse
+# spec file for package eclipse-bootstrap
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -115,6 +115,8 @@ Patch31:        eclipse-suse-batik.patch
 # Fix build on ppc64 big endian
 Patch33:        eclipse-ppc64.patch
 Patch34:        eclipse-libkeystorelinuxnative.patch
+# PATCH-FIX-UPSTREAM bsc#1183728 CVE-2020-27225 Help Subsystem does not authenticate active help requests
+Patch35:        eclipse-CVE-2020-27225.patch
 BuildRequires:  ant >= 1.10.5
 BuildRequires:  ant-antlr
 BuildRequires:  ant-apache-bcel
@@ -252,6 +254,7 @@ everything in between.
 %if %{with bootstrap}
 %package        -n eclipse-swt-bootstrap
 %else
+
 %package        swt
 Obsoletes:      eclipse-swt-bootstrap
 %endif
@@ -265,6 +268,7 @@ Requires:       libwebkit2gtk-4_0-37
 %if %{with bootstrap}
 %description -n eclipse-swt-bootstrap
 %else
+
 %description swt
 %endif
 SWT Library for GTK+.
@@ -272,6 +276,7 @@ SWT Library for GTK+.
 %if %{with bootstrap}
 %package        -n eclipse-equinox-osgi-bootstrap
 %else
+
 %package        equinox-osgi
 Obsoletes:      eclipse-equinox-osgi-bootstrap
 %endif
@@ -284,6 +289,7 @@ Provides:       osgi(system.bundle) = %{version}
 %if %{with bootstrap}
 %description  -n eclipse-equinox-osgi-bootstrap
 %else
+
 %description  equinox-osgi
 %endif
 Eclipse OSGi - Equinox
@@ -293,6 +299,7 @@ Eclipse OSGi - Equinox
 Requires:       eclipse-equinox-osgi-bootstrap = %{version}-%{release}
 Requires:       eclipse-swt-bootstrap = %{version}-%{release}
 %else
+
 %package        platform
 Requires:       %{name}-equinox-osgi = %{version}-%{release}
 Requires:       %{name}-swt = %{version}-%{release}
@@ -373,6 +380,7 @@ Requires:       eclipse-emf-core >= 2.14.0
 %if %{with bootstrap}
 %description    -n eclipse-platform-bootstrap
 %else
+
 %description    platform
 %endif
 The Eclipse Platform is the base of all IDE plugins.  This does not include the
@@ -382,6 +390,7 @@ Java Development Tools or the Plugin Development Environment.
 %package        -n eclipse-jdt-bootstrap
 Requires:       eclipse-platform-bootstrap = %{version}-%{release}
 %else
+
 %package        jdt
 Requires:       %{name}-platform = %{version}-%{release}
 Obsoletes:      eclipse-jdt-bootstrap
@@ -397,6 +406,7 @@ BuildArch:      noarch
 %if %{with bootstrap}
 %description    -n eclipse-jdt-bootstrap
 %else
+
 %description    jdt
 %endif
 Eclipse Java Development Tools.  This package is required to use Eclipse for
@@ -407,6 +417,7 @@ developing software written in the Java programming language.
 Requires:       eclipse-jdt-bootstrap = %{version}-%{release}
 Requires:       eclipse-platform-bootstrap = %{version}-%{release}
 %else
+
 %package        pde
 Requires:       %{name}-jdt = %{version}-%{release}
 Requires:       %{name}-platform = %{version}-%{release}
@@ -419,6 +430,7 @@ Requires:       objectweb-asm >= 7.0
 %if %{with bootstrap}
 %description    -n eclipse-pde-bootstrap
 %else
+
 %description    pde
 %endif
 Eclipse Plugin Development Environment.  This package is required for
@@ -428,6 +440,7 @@ developing Eclipse plugins.
 %package        -n eclipse-p2-discovery-bootstrap
 Requires:       eclipse-platform-bootstrap = %{version}-%{release}
 %else
+
 %package        p2-discovery
 Requires:       %{name}-platform = %{version}-%{release}
 Obsoletes:      eclipse-p2-discovery-bootstrap
@@ -439,6 +452,7 @@ BuildArch:      noarch
 %if %{with bootstrap}
 %description    -n eclipse-p2-discovery-bootstrap
 %else
+
 %description    p2-discovery
 %endif
 The p2 Discovery mechanism provides a simplified and branded front-end for the
@@ -451,6 +465,7 @@ installer UIs.
 %package        -n eclipse-contributor-tools-bootstrap
 Requires:       eclipse-platform-bootstrap = %{version}-%{release}
 %else
+
 %package        contributor-tools
 Requires:       %{name}-platform = %{version}-%{release}
 Obsoletes:      eclipse-contributor-tools-bootstrap
@@ -463,6 +478,7 @@ Obsoletes:      %{name}-tests < 4.14-2
 %if %{with bootstrap}
 %description    -n eclipse-contributor-tools-bootstrap
 %else
+
 %description    contributor-tools
 %endif
 This package contains tools specifically for Eclipse contributors. It includes
@@ -505,6 +521,7 @@ tar --strip-components=1 -xf %{SOURCE1}
 %patch31 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
 
 # Optional (unused) multipart support (see patch 25)
 rm rt.equinox.bundles/bundles/org.eclipse.equinox.http.servlet/src/org/eclipse/equinox/http/servlet/internal/multipart/MultipartSupport{Impl,FactoryImpl,Part}.java
@@ -959,6 +976,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-swt-bootstrap -f .mfiles-swt
 %else
+
 %files swt -f .mfiles-swt
 %endif
 %{_eclipsedir}/plugins/org.eclipse.swt_*
@@ -969,6 +987,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-platform-bootstrap
 %else
+
 %files platform
 %endif
 %{_bindir}/eclipse
@@ -1154,6 +1173,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-jdt-bootstrap -f .mfiles-jdt
 %else
+
 %files jdt -f .mfiles-jdt
 %endif
 %{_datadir}/appdata/eclipse-jdt.metainfo.xml
@@ -1161,6 +1181,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-pde-bootstrap -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk
 %else
+
 %files pde -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk
 %endif
 %{_datadir}/appdata/eclipse-pde.metainfo.xml
@@ -1168,6 +1189,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-p2-discovery-bootstrap -f .mfiles-p2-discovery
 %else
+
 %files p2-discovery -f .mfiles-p2-discovery
 %endif
 
@@ -1175,6 +1197,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-contributor-tools-bootstrap -f .mfiles-contributor-tools
 %else
+
 %files contributor-tools -f .mfiles-contributor-tools
 %endif
 %endif
@@ -1182,6 +1205,7 @@ echo "%{version}-%{release}" > %{buildroot}%{_eclipsedir}/.pkgs/Distro%{?dist}
 %if %{with bootstrap}
 %files -n eclipse-equinox-osgi-bootstrap -f .mfiles-equinox-osgi
 %else
+
 %files equinox-osgi -f .mfiles-equinox-osgi
 %endif
 %{_eclipsedir}/plugins/org.eclipse.osgi_*