[
https://issues.apache.org/jira/browse/SLING-3850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14098454#comment-14098454
]
Felix Meschberger commented on SLING-3850:
------------------------------------------
Thanks [~asanso] for the details. So it just happens that the files are valid
JS files. Adding the comment turns them into invalid JS and prevents this
attack.
I have the impression, this makes sense and helps documenting these files to
some extent, at least indicate where they come from. IIRC the config file
writing makes unmodified use of the Felix Configuration Admin
[ConfigurationHandler|http://svn.apache.org/repos/asf/felix/trunk/configadmin/src/main/java/org/apache/felix/cm/file/ConfigurationHandler.java]
class. So it would maybe make sense to directly extend/enhance that class.
> Add comments to the OSGi configuration files stored in the repository
> ---------------------------------------------------------------------
>
> Key: SLING-3850
> URL: https://issues.apache.org/jira/browse/SLING-3850
> Project: Sling
> Issue Type: Improvement
> Components: Installer
> Reporter: Antonio Sanso
> Priority: Minor
>
> It would be nice add coment to the OSGi configuration files stored in the
> repository.
> e.g.
> {code}
> #generated by ..
> {code}
> This will have as a wanted side effect to not have the file being a valid
> javascript
--
This message was sent by Atlassian JIRA
(v6.2#6252)
