kwin edited a comment on pull request #89: URL: https://github.com/apache/jackrabbit-filevault/pull/89#issuecomment-652812891
> An attacker could add tasks that copy (confidential) content to his own repository and then somehow manage to get the task started. especially if the entire process is automated, this could easily happen unnoticed. IMHO the target is always the local repo, i.e. it is always a pull (never a push) as the session being used in https://github.com/apache/jackrabbit-filevault/blob/c0d35641aa761a1109137a82dc301bf768dea0c4/vault-rcp/src/main/java/org/apache/jackrabbit/vault/rcp/impl/RcpTaskImpl.java#L239 is always a local session (if started via the servlet). Only the source session is a remote one (https://github.com/apache/jackrabbit-filevault/blob/c0d35641aa761a1109137a82dc301bf768dea0c4/vault-rcp/src/main/java/org/apache/jackrabbit/vault/rcp/impl/RcpTaskImpl.java#L211). This is different than the CLI RCP command! This is also stated in https://jackrabbit.apache.org/filevault/rcp.html#Vault_RCP_Server_Bundle > This special vault rcp version can only be used to import content from remote repositories. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
