Konrad Windszus created SLING-12093:
---------------------------------------
Summary: ResourceResolver.getAttribute(...) might return sensitive
information
Key: SLING-12093
URL: https://issues.apache.org/jira/browse/SLING-12093
Project: Sling
Issue Type: Improvement
Components: ResourceResolver
Affects Versions: Resource Resolver 1.11.0
Reporter: Konrad Windszus
The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute
from either
- the underlying resource provider or
- the authentication info passed to the factory
In addition it filters out some attributes supposed to contain sensitive
information
(https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
Although there is some JCR specific authentication info filtered in
https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
this is not-effective as the authentication info is retrieved without
consulting any resource provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
