You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Konrad Windszus (Jira)" <ji...@apache.org> on 2022/11/24 18:48:00 UTC
[jira] [Updated] (FELIX-6585) WebConsole Bundle Install via POST uses a location which is prone to clashes
[ https://issues.apache.org/jira/browse/FELIX-6585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Konrad Windszus updated FELIX-6585:
-----------------------------------
Description:
When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request.
As that is usually shortened to contain the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high.
In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
This will overwrite a bundle with the same location.
It would make sense to pick a more unique location value instead of the name.
was:
When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request.
As that is usually stripped to the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high.
In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
This will overwrite a bundle with the same location.
It would make sense to pick a more unique location value instead of the name.
> WebConsole Bundle Install via POST uses a location which is prone to clashes
> ----------------------------------------------------------------------------
>
> Key: FELIX-6585
> URL: https://issues.apache.org/jira/browse/FELIX-6585
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-4.8.4
> Reporter: Konrad Windszus
> Priority: Major
>
> When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request.
> As that is usually shortened to contain the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high.
> In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
> This will overwrite a bundle with the same location.
> It would make sense to pick a more unique location value instead of the name.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)