Valentin Valchev created FELIX-4660:
---------------------------------------
Summary: Security problem in WebConsoleUtil.getParameter() method
Key: FELIX-4660
URL: https://issues.apache.org/jira/browse/FELIX-4660
Project: Felix
Issue Type: Bug
Components: Web Console
Affects Versions: webconsole-4.2.2
Reporter: Valentin Valchev
The mentioned method is used to get simple parameters as well FileItems, if the
request is multipart.
If a big file has been uploaded Apache File Upload will store the file in a
temporary folder, instead of keeping it in memory. That folder is specified by
system property 'java.io.tmpdir'.
When running with security the file upload will require the bundle to have the
following permission:
(java.util.PropertyPermission "java.io.tmpdir" "read")
But in order to read/write/delete to that folder the bundle will require
(java.io.FilePermission "<<ALL FILES>>" "read,write,delete")
Because we don't know where the file will be stored and cannot express that
using system properties, we need to give permission to read any file on system
and that is well .. bad.
In OSGi however, it's guaranteed that the bundle will have permission to
read/write/delete files in it's data folder. So all we need is to set the
repository path:
{code}
DiskFileItemFactory factory
factory.setRepository( 256000 );
{code}
To keep compatibility with existing version(s) I suggest that we add a new
constant:
AbstractWebConsolePlugin.ATTR_FILEUPLOAD_DIR
The value of that attribute is a File object - a folder, which plugins obtain
using BundleContext.getDataFile().
So if the attribute is set, the getParameter() method will set that file as
repository to the DiskFileItemFactory. That wouldn't require any changes to the
API, though any plugins, that use FileUpload are recommended to update their
code and set that attribute.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
