[
https://issues.apache.org/jira/browse/FELIX-4660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Valentin Valchev resolved FELIX-4660.
-------------------------------------
Resolution: Fixed
Fix Version/s: webconsole-4.2.4
Assignee: Valentin Valchev
Fixed in rev. 1629129
> Security problem in WebConsoleUtil.getParameter() method
> --------------------------------------------------------
>
> Key: FELIX-4660
> URL: https://issues.apache.org/jira/browse/FELIX-4660
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-4.2.2
> Reporter: Valentin Valchev
> Assignee: Valentin Valchev
> Fix For: webconsole-4.2.4
>
>
> The mentioned method is used to get simple parameters as well FileItems, if
> the request is multipart.
> If a big file has been uploaded Apache File Upload will store the file in a
> temporary folder, instead of keeping it in memory. That folder is specified
> by system property 'java.io.tmpdir'.
> When running with security the file upload will require the bundle to have
> the following permission:
> (java.util.PropertyPermission "java.io.tmpdir" "read")
> But in order to read/write/delete to that folder the bundle will require
> (java.io.FilePermission "<<ALL FILES>>" "read,write,delete")
> Because we don't know where the file will be stored and cannot express that
> using system properties, we need to give permission to read any file on
> system and that is well .. bad.
> In OSGi however, it's guaranteed that the bundle will have permission to
> read/write/delete files in it's data folder. So all we need is to set the
> repository path:
> {code}
> DiskFileItemFactory factory
> factory.setRepository( 256000 );
> {code}
> To keep compatibility with existing version(s) I suggest that we add a new
> constant:
> AbstractWebConsolePlugin.ATTR_FILEUPLOAD_DIR
> The value of that attribute is a File object - a folder, which plugins obtain
> using BundleContext.getDataFile().
> So if the attribute is set, the getParameter() method will set that file as
> repository to the DiskFileItemFactory. That wouldn't require any changes to
> the API, though any plugins, that use FileUpload are recommended to update
> their code and set that attribute.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
