[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286233#comment-17286233
]
Eric Norman commented on SLING-10147:
-------------------------------------
I couldn't figure out a convenient way to forward a request from the webconsole
plugin to the sling main servlet, so I changed my approach from forwarding the
request to redirecting.
The new post handling generates a one-time-use token to pass along as a request
parameter and then redirects to generate the response. Changes were also made
to ensure that any request to the SlingBindingsVariablesListJsonServlet that
arrives without a valid value in the "nonce" request parameter is not accepted
via implementing OptingServlet.
I have stashed the code in PR #5 for review and feedback:
[https://github.com/apache/sling-org-apache-sling-scripting-core/pull/5]
Let me know what you think.
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
