[ https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836289#comment-16836289 ]
Ashok Kumar edited comment on FELIX-6128 at 5/9/19 12:58 PM: ------------------------------------------------------------- Attached patch for escaping the bundle name - escape_bundle_name.patch - DELETED CC: [~asanso], [~karlpauls] was (Author: ashokpanghal): Attached patch for escaping the bundle name - escape_bundle_name.patch. CC: [~asanso], [~karlpauls] > Issue in the bundle Web Console > ------------------------------- > > Key: FELIX-6128 > URL: https://issues.apache.org/jira/browse/FELIX-6128 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Antonio Sanso > Assignee: Karl Pauls > Priority: Major > Attachments: escape_bundle_name_and_other_manifest_headers.patch, > image002.png, image003.png > > > RunningSnail reported an XSS issue in the bundle Web Console. > After logining,I visit the page whose url is > http://127.0.0.1:8080/system/console/bundles. > Then I click "Install/Update" and before uploading a jar file,I change the > content of the "MANIFEST.MF" in the jar file. > So when an admin visit the page,he will be affected by the stored xss. > See attached images -- This message was sent by Atlassian JIRA (v7.6.3#76005)