[
https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836301#comment-16836301
]
Ashok Kumar commented on FELIX-6128:
------------------------------------
[~asanso] , [~karlpauls] ,
Should we escape the Manifest Headers (either selectively for Name or for all
header values) coming from listHeaders [0] ? These are being used on bundles'
detailed view
[ [0]
[https://github.com/apache/felix/blob/trunk/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L1158-L1175]
> Issue in the bundle Web Console
> -------------------------------
>
> Key: FELIX-6128
> URL: https://issues.apache.org/jira/browse/FELIX-6128
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Reporter: Antonio Sanso
> Priority: Major
> Attachments: escape_bundle_name.patch, image002.png, image003.png
>
>
> RunningSnail reported an XSS issue in the bundle Web Console.
> After logining,I visit the page whose url is
> http://127.0.0.1:8080/system/console/bundles.
> Then I click "Install/Update" and before uploading a jar file,I change the
> content of the "MANIFEST.MF" in the jar file.
> So when an admin visit the page,he will be affected by the stored xss.
> See attached images
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
