[FELIX-6585] WebConsole Bundle Install via POST uses a bundle location which is prone to clashes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: webconsole-4.8.4
Fix Version/s: None
Component/s: Web Console
Labels:
None

Description

When installing a bundle via the WebConsole bundle endpoint at https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 it always sets the bundle location to the filename of the multipart file POST request.

As that is usually shortened to contain the filename only by browsers (and does not contain the full path, https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) this is not a very good identifier and the risk for clashes is pretty high.

In case the used BSN is unique the following code is executed: https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
This will overwrite a bundle with the same location.

It would make sense to pick a more unique location value instead of the name.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Konrad Windszus

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Nov/22 18:44

Updated:: 24/Nov/22 19:02