Fixed FELIX-4660 : Security problem in WebConsoleUtil.getParameter() method
https://issues.apache.org/jira/browse/FELIX-4660
git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1629129 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java b/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
index d31b559..e571565 100644
--- a/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
+++ b/webconsole/src/main/java/org/apache/felix/webconsole/AbstractWebConsolePlugin.java
@@ -57,6 +57,23 @@
/** The name of the request attribute containing the map of FileItems from the POST request */
public static final String ATTR_FILEUPLOAD = "org.apache.felix.webconsole.fileupload"; //$NON-NLS-1$
+
+ /**
+ * The name of the request attribute containing a {@link java.io.File} - upload repository path used by
+ * {@link org.apache.commons.fileupload.disk.DiskFileItemFactory}.<p>
+ *
+ * The Web Console plugin, that utilizes file upload capabilities of the web console SHOULD:
+ * <ol>
+ * <li>Obtain the file using {@link org.osgi.framework.BundleContext#getDataFile(String)}
+ * <li>Set the file as request attribute
+ * <li>Use {@link WebConsoleUtil#getParameter(HttpServletRequest, String)} to obtain the file(s)
+ * </ol>
+ *
+ * Without setting this attribute, your plugin will not work if there is a security manager enabled.
+ * It is guaranteed, that your plugin has permissions to read/write/delete files to the location,
+ * provided by the bundle context.
+ */
+ public static final String ATTR_FILEUPLOAD_REPO = "org.apache.felix.webconsole.fileupload.repo"; //$NON-NLS-1$
/**
* Web Console Plugin typically consists of servlet and resources such as images,
diff --git a/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java b/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java
index 6fb96d1..0ecc2ed 100644
--- a/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java
+++ b/webconsole/src/main/java/org/apache/felix/webconsole/WebConsoleUtil.java
@@ -19,6 +19,7 @@
package org.apache.felix.webconsole;
+import java.io.File;
import java.io.IOException;
import java.lang.reflect.Array;
import java.net.URLDecoder;
@@ -138,6 +139,12 @@
// Create a factory for disk-based file items
DiskFileItemFactory factory = new DiskFileItemFactory();
factory.setSizeThreshold( 256000 );
+ // See https://issues.apache.org/jira/browse/FELIX-4660
+ final Object repo = request.getAttribute( AbstractWebConsolePlugin.ATTR_FILEUPLOAD_REPO );
+ if ( repo instanceof File )
+ {
+ factory.setRepository( (File) repo );
+ }
// Create a new file upload handler
ServletFileUpload upload = new ServletFileUpload( factory );