Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
webconsole-4.2.2
-
None
Description
The mentioned method is used to get simple parameters as well FileItems, if the request is multipart.
If a big file has been uploaded Apache File Upload will store the file in a temporary folder, instead of keeping it in memory. That folder is specified by system property 'java.io.tmpdir'.
When running with security the file upload will require the bundle to have the following permission:
(java.util.PropertyPermission "java.io.tmpdir" "read")
But in order to read/write/delete to that folder the bundle will require
(java.io.FilePermission "<<ALL FILES>>" "read,write,delete")
Because we don't know where the file will be stored and cannot express that using system properties, we need to give permission to read any file on system and that is well .. bad.
In OSGi however, it's guaranteed that the bundle will have permission to read/write/delete files in it's data folder. So all we need is to set the repository path:
DiskFileItemFactory factory factory.setRepository( 256000 );
To keep compatibility with existing version(s) I suggest that we add a new constant:
AbstractWebConsolePlugin.ATTR_FILEUPLOAD_DIR
The value of that attribute is a File object - a folder, which plugins obtain using BundleContext.getDataFile().
So if the attribute is set, the getParameter() method will set that file as repository to the DiskFileItemFactory. That wouldn't require any changes to the API, though any plugins, that use FileUpload are recommended to update their code and set that attribute.