[
https://issues.apache.org/jira/browse/FELIX-6585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated FELIX-6585:
-----------------------------------
Summary: WebConsole Bundle Install via POST uses a bundle location which is
prone to clashes (was: WebConsole Bundle Install via POST uses a location
which is prone to clashes)
> WebConsole Bundle Install via POST uses a bundle location which is prone to
> clashes
> -----------------------------------------------------------------------------------
>
> Key: FELIX-6585
> URL: https://issues.apache.org/jira/browse/FELIX-6585
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-4.8.4
> Reporter: Konrad Windszus
> Priority: Major
>
> When installing a bundle via the WebConsole bundle endpoint at
> https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352
> it always sets the bundle location to the filename of the multipart file
> POST request.
> As that is usually shortened to contain the filename only by browsers (and
> does not contain the full path,
> https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--)
> this is not a very good identifier and the risk for clashes is pretty high.
> In case the used BSN is unique the following code is executed:
> https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56
> This will overwrite a bundle with the same location.
> It would make sense to pick a more unique location value instead of the name.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
