[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292418#comment-17292418
]
Carsten Ziegeler commented on SLING-10147:
------------------------------------------
Ok, thanks - I think its common to use Sling without the webconsole being
deployed and in that case you dont have the web console security provider
bundle either.
So, all references to the webconsole API must be optional to allow scripting
core to be usable without the web console being installed.
If you now introduce this dependency to the WebConsoleSecurityProvider, the
servlet will not be available in those scenarios. Which might be fine, don't
know about the use cases.
Wouldn't it make more sense to have the servlet as a plugin in the web console
and then use a service user to fetch resources - similar to what the plugin
for the resource resolver does?
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 5h 10m
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
