You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@felix.apache.org by vv...@apache.org on 2014/10/03 09:56:40 UTC
svn commit: r1629129 - in
/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole:
AbstractWebConsolePlugin.java WebConsoleUtil.java
Author: vvalchev
Date: Fri Oct 3 07:56:39 2014
New Revision: 1629129
URL: http://svn.apache.org/r1629129
Log:
Fixed FELIX-4660 : Security problem in WebConsoleUtil.getParameter() method
https://issues.apache.org/jira/browse/FELIX-4660
Modified:
felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java
Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java?rev=1629129&r1=1629128&r2=1629129&view=diff
==============================================================================
--- felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java (original)
+++ felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java Fri Oct 3 07:56:39 2014
@@ -57,6 +57,23 @@ public abstract class AbstractWebConsole
/** The name of the request attribute containing the map of FileItems from the POST request */
public static final String ATTR_FILEUPLOAD = "org.apache.felix.webconsole.fileupload"; //$NON-NLS-1$
+
+ /**
+ * The name of the request attribute containing a {@link java.io.File} - upload repository path used by
+ * {@link org.apache.commons.fileupload.disk.DiskFileItemFactory}.<p>
+ *
+ * The Web Console plugin, that utilizes file upload capabilities of the web console SHOULD:
+ * <ol>
+ * <li>Obtain the file using {@link org.osgi.framework.BundleContext#getDataFile(String)}
+ * <li>Set the file as request attribute
+ * <li>Use {@link WebConsoleUtil#getParameter(HttpServletRequest, String)} to obtain the file(s)
+ * </ol>
+ *
+ * Without setting this attribute, your plugin will not work if there is a security manager enabled.
+ * It is guaranteed, that your plugin has permissions to read/write/delete files to the location,
+ * provided by the bundle context.
+ */
+ public static final String ATTR_FILEUPLOAD_REPO = "org.apache.felix.webconsole.fileupload.repo"; //$NON-NLS-1$
/**
* Web Console Plugin typically consists of servlet and resources such as images,
Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java
URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java?rev=1629129&r1=1629128&r2=1629129&view=diff
==============================================================================
--- felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java (original)
+++ felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java Fri Oct 3 07:56:39 2014
@@ -19,6 +19,7 @@
package org.apache.felix.webconsole;
+import java.io.File;
import java.io.IOException;
import java.lang.reflect.Array;
import java.net.URLDecoder;
@@ -138,6 +139,12 @@ public final class WebConsoleUtil
// Create a factory for disk-based file items
DiskFileItemFactory factory = new DiskFileItemFactory();
factory.setSizeThreshold( 256000 );
+ // See https://issues.apache.org/jira/browse/FELIX-4660
+ final Object repo = request.getAttribute( AbstractWebConsolePlugin.ATTR_FILEUPLOAD_REPO );
+ if ( repo instanceof File )
+ {
+ factory.setRepository( (File) repo );
+ }
// Create a new file upload handler
ServletFileUpload upload = new ServletFileUpload( factory );