[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17287259#comment-17287259
]
Eric Norman edited comment on SLING-10147 at 2/19/21, 5:59 PM:
---------------------------------------------------------------
[~bdelacretaz] I am not opposed to such "functional privilege" concepts in
general and I have advocated for such things in the past. But I must point out
that the whole reason for the extra code in that pull request is to make it
independent of optional security concepts. In other words to work when the
org.apache.sling:org.apache.sling.extensions.webconsolesecurityprovider bundle
is not present and the webconsole is protected by the default simple admin
username/password as defined in the "Apache Felix OSGi Management Console"
configuration.
If I am allowed to assume that
org.apache.sling:org.apache.sling.extensions.webconsolesecurityprovider (or
equivalent) is present then the solution would be just a couple lines of code
as I could get a reference to the WebConsoleSecurityProvider service and call
WebConsoleSecurityProvider2#authenticate to check the security in
[SlingBindingsVariablesListJsonServlet|https://github.com/apache/sling-org-apache-sling-scripting-core/blob/master/src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java]
Can I require that the optional WebConsoleSecurityProvider be present to allow
access? Is that any different than assuming that the resource tree is writable
and capable of defining a {{/system/sling/permissions/webconsole/view}}
resource?
was (Author: enorman):
[~bdelacretaz] I am not opposed to such "functional privilege" concepts in
general and I have advocated for such things in the past. But I must point out
that the whole reason for the extra code in that pull request is to make it
independent of optional security concepts. In other words to work when the
org.apache.sling:org.apache.sling.extensions.webconsolesecurityprovider bundle
is not present and the webconsole is protected by the default simple admin
username/password as defined in the "Apache Felix OSGi Management Console"
configuration.
If I am allowed to assume that
org.apache.sling:org.apache.sling.extensions.webconsolesecurityprovider (or
equivalent) is present then the solution would be just a couple lines of code
as I could get a reference to the WebConsoleSecurityProvider service and call
WebConsoleSecurityProvider2#authenticate to check the security in
[SlingBindingsVariablesListJsonServlet|https://github.com/apache/sling-org-apache-sling-scripting-core/blob/master/src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java]
Can I require that the optional WebConsoleSecurityProvider be present to allow
access? Is that any different that assuming that the resource tree is writable
and capable of defining a {{/system/sling/permissions/webconsole/view}}
resource?
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
