Konrad Windszus created FELIX-6585:
--------------------------------------
Summary: WebConsole Bundle Install via POST uses a location which
is prone to clashes
Key: FELIX-6585
URL: https://issues.apache.org/jira/browse/FELIX-6585
Project: Felix
Issue Type: Bug
Components: Web Console
Affects Versions: webconsole-4.8.4
Reporter: Konrad Windszus
When installing a bundle via the WebConsole bundle endpoint at
https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352
it always sets the bundle location to the filename of the multipart file POST
request.
As that is usually stripped to the filename only by browsers (and does not
contain the full path,
https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--)
this is not a very good identifier and the risk for clashes is pretty high.
In case the used BSN is unique the following code is executed:
https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
This will overwrite a bundle with the same location.
It would make sense to pick a more unique location value instead of the name.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
