[ https://issues.apache.org/jira/browse/FELIX-6585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Konrad Windszus updated FELIX-6585: ----------------------------------- Summary: WebConsole Bundle Install via POST uses a bundle location which is prone to clashes (was: WebConsole Bundle Install via POST uses a location which is prone to clashes) > WebConsole Bundle Install via POST uses a bundle location which is prone to > clashes > ----------------------------------------------------------------------------------- > > Key: FELIX-6585 > URL: https://issues.apache.org/jira/browse/FELIX-6585 > Project: Felix > Issue Type: Bug > Components: Web Console > Affects Versions: webconsole-4.8.4 > Reporter: Konrad Windszus > Priority: Major > > When installing a bundle via the WebConsole bundle endpoint at > https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java#L352 > it always sets the bundle location to the filename of the multipart file > POST request. > As that is usually shortened to contain the filename only by browsers (and > does not contain the full path, > https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/FileItem.html#getName--) > this is not a very good identifier and the risk for clashes is pretty high. > In case the used BSN is unique the following code is executed: > https://github.com/apache/felix-dev/blob/d55c61712b2bc6ceaa554d1cf99609990355aa4f/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/InstallHelper.java#L56 > This will overwrite a bundle with the same location. > It would make sense to pick a more unique location value instead of the name. -- This message was sent by Atlassian Jira (v8.20.10#820010)