[
https://issues.apache.org/jira/browse/FELIX-6128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836289#comment-16836289
]
Ashok Kumar edited comment on FELIX-6128 at 5/9/19 12:58 PM:
-------------------------------------------------------------
Attached patch for escaping the bundle name - escape_bundle_name.patch - DELETED
CC: [~asanso], [~karlpauls]
was (Author: ashokpanghal):
Attached patch for escaping the bundle name - escape_bundle_name.patch.
CC: [~asanso], [~karlpauls]
> Issue in the bundle Web Console
> -------------------------------
>
> Key: FELIX-6128
> URL: https://issues.apache.org/jira/browse/FELIX-6128
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Reporter: Antonio Sanso
> Assignee: Karl Pauls
> Priority: Major
> Attachments: escape_bundle_name_and_other_manifest_headers.patch,
> image002.png, image003.png
>
>
> RunningSnail reported an XSS issue in the bundle Web Console.
> After logining,I visit the page whose url is
> http://127.0.0.1:8080/system/console/bundles.
> Then I click "Install/Update" and before uploading a jar file,I change the
> content of the "MANIFEST.MF" in the jar file.
> So when an admin visit the page,he will be affected by the stored xss.
> See attached images
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
