[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309618#comment-17309618
]
Eric Norman commented on SLING-10147:
-------------------------------------
These were the results of the vote on mailing list :
PR #7 preferred by: Bertrand Delacretaz, Eric Norman, Julian Sedding
PR #5: preferred by: Konrad Windszus
Since PR #7 was the more preferred solution I will proceed with merging the PR
with those changes and close the PR #5.
FYI: I created the FELIX-6390 issue with additional proposed changes to better
cover the use case where a WebConsoleSecurityProvider service that implements
WebConsoleSecurityProvider2 is not registered. I asked several times for a
review and/or ruling on that proposal on both JIRA and the PR but there has
been no response at all. If anyone has any influence over the FELIX project
committers, perhaps you can nudge them on following up on FELIX-6390 since they
are ignoring me.
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 9h 50m
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
