Return-Path: X-Original-To: apmail-felix-commits-archive@www.apache.org Delivered-To: apmail-felix-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE843175B5 for ; Fri, 3 Oct 2014 07:57:01 +0000 (UTC) Received: (qmail 42742 invoked by uid 500); 3 Oct 2014 07:57:01 -0000 Delivered-To: apmail-felix-commits-archive@felix.apache.org Received: (qmail 42697 invoked by uid 500); 3 Oct 2014 07:57:01 -0000 Mailing-List: contact commits-help@felix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@felix.apache.org Delivered-To: mailing list commits@felix.apache.org Received: (qmail 42686 invoked by uid 99); 3 Oct 2014 07:57:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2014 07:57:01 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Oct 2014 07:57:00 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2682D2388999; Fri, 3 Oct 2014 07:56:40 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1629129 - in /felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole: AbstractWebConsolePlugin.java WebConsoleUtil.java Date: Fri, 03 Oct 2014 07:56:40 -0000 To: commits@felix.apache.org From: vvalchev@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20141003075640.2682D2388999@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: vvalchev Date: Fri Oct 3 07:56:39 2014 New Revision: 1629129 URL: http://svn.apache.org/r1629129 Log: Fixed FELIX-4660 : Security problem in WebConsoleUtil.getParameter() method https://issues.apache.org/jira/browse/FELIX-4660 Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java?rev=1629129&r1=1629128&r2=1629129&view=diff ============================================================================== --- felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java (original) +++ felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java Fri Oct 3 07:56:39 2014 @@ -57,6 +57,23 @@ public abstract class AbstractWebConsole /** The name of the request attribute containing the map of FileItems from the POST request */ public static final String ATTR_FILEUPLOAD = "org.apache.felix.webconsole.fileupload"; //$NON-NLS-1$ + + /** + * The name of the request attribute containing a {@link java.io.File} - upload repository path used by + * {@link org.apache.commons.fileupload.disk.DiskFileItemFactory}.

+ * + * The Web Console plugin, that utilizes file upload capabilities of the web console SHOULD: + *

    + *
  1. Obtain the file using {@link org.osgi.framework.BundleContext#getDataFile(String)} + *
  2. Set the file as request attribute + *
  3. Use {@link WebConsoleUtil#getParameter(HttpServletRequest, String)} to obtain the file(s) + *
+ * + * Without setting this attribute, your plugin will not work if there is a security manager enabled. + * It is guaranteed, that your plugin has permissions to read/write/delete files to the location, + * provided by the bundle context. + */ + public static final String ATTR_FILEUPLOAD_REPO = "org.apache.felix.webconsole.fileupload.repo"; //$NON-NLS-1$ /** * Web Console Plugin typically consists of servlet and resources such as images, Modified: felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java URL: http://svn.apache.org/viewvc/felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java?rev=1629129&r1=1629128&r2=1629129&view=diff ============================================================================== --- felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java (original) +++ felix/trunk/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java Fri Oct 3 07:56:39 2014 @@ -19,6 +19,7 @@ package org.apache.felix.webconsole; +import java.io.File; import java.io.IOException; import java.lang.reflect.Array; import java.net.URLDecoder; @@ -138,6 +139,12 @@ public final class WebConsoleUtil // Create a factory for disk-based file items DiskFileItemFactory factory = new DiskFileItemFactory(); factory.setSizeThreshold( 256000 ); + // See https://issues.apache.org/jira/browse/FELIX-4660 + final Object repo = request.getAttribute( AbstractWebConsolePlugin.ATTR_FILEUPLOAD_REPO ); + if ( repo instanceof File ) + { + factory.setRepository( (File) repo ); + } // Create a new file upload handler ServletFileUpload upload = new ServletFileUpload( factory );