[
https://issues.apache.org/jira/browse/SLING-989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-989:
------------------------------------
Component/s: Scripting
Affects Version/s: Scripting Core 2.0.4
> scripts in /apps are read by user session, this leads to security problem
> -------------------------------------------------------------------------
>
> Key: SLING-989
> URL: https://issues.apache.org/jira/browse/SLING-989
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting Core 2.0.4
> Reporter: Michael Marth
>
> At the moment the user session is used to read the scripts stored in /apps.
> Most web apps have some anonymous users as well, therefore the ACLs of /apps
> must allow read access of the /apps directory. Hence, all scripts within
> /apps are readable by anyone.
> I suggest to allow the Sling administrator to configure which session to use
> when the scripts are read. He could choose the admin session or stick with
> the default (the user's session).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
