You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Konrad Windszus (Jira)" <ji...@apache.org> on 2022/11/24 19:03:00 UTC

[jira] [Updated] (FELIX-6585) WebConsole Bundle Install via POST uses a bundle location which is prone to clashes

     [ https://issues.apache.org/jira/browse/FELIX-6585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Konrad Windszus updated FELIX-6585:
-----------------------------------
    Summary: WebConsole Bundle Install via POST uses a bundle location which is prone to clashes  (was: WebConsole Bundle Install via POST uses a location which is prone to clashes)

> WebConsole Bundle Install via POST uses a bundle location which is prone to clashes
> -----------------------------------------------------------------------------------
>
>                 Key: FELIX-6585
>                 URL: https://issues.apache.org/jira/browse/FELIX-6585
>             Project: Felix
>          Issue Type: Bug
>          Components: Web Console
>    Affects Versions: webconsole-4.8.4
>            Reporter: Konrad Windszus
>            Priority: Major
>
> When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request.
> As that is usually shortened to contain the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high.
> In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
> This will overwrite a bundle with the same location.
> It would make sense to pick a more unique location value instead of the name.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)