[
https://issues.apache.org/jira/browse/SLING-3379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler resolved SLING-3379.
-------------------------------------
Resolution: Won't Fix
> OptingServlet accepts method bypassed
> -------------------------------------
>
> Key: SLING-3379
> URL: https://issues.apache.org/jira/browse/SLING-3379
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Reporter: Anthony Rumsey
> Priority: Major
>
> It is possible for the accepts method of the OptingServlet interface to be
> bypassed under certain conditions.
> For example consider a servlet called MyServlet that has a resourceType of
> "myapp/components/foo” and allows the POST method with a selector of “bar”.
> This servlet also implements the OptingServlet interface and has an ‘accepts’
> method that checks the extension on the request.
> During some security testing I discovered that when I give a node a
> sling:resourceType of "myapp/components/foo.POST.servlet”, I can POST to this
> node with no selector and any extension I want which will still resolve to
> the MyServlet but not call the “accepts” method from the OptingServlet
> interface and goes directly to the doPost method.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
