[
https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated SLING-12093:
------------------------------------
Description:
The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute
from either
- the underlying resource provider or
- the authentication info passed to the factory
In addition it filters out some attributes supposed to contain sensitive
information
(https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
Although there is some JCR specific authentication info filtered in
https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
this is not-effective as the authentication info is retrieved without
consulting any resource provider.
This affects the attribute {{user.jcr.credentials}}.
was:
The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute
from either
- the underlying resource provider or
- the authentication info passed to the factory
In addition it filters out some attributes supposed to contain sensitive
information
(https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
Although there is some JCR specific authentication info filtered in
https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
this is not-effective as the authentication info is retrieved without
consulting any resource provider.
> ResourceResolver.getAttribute(...) might return sensitive information
> ---------------------------------------------------------------------
>
> Key: SLING-12093
> URL: https://issues.apache.org/jira/browse/SLING-12093
> Project: Sling
> Issue Type: Improvement
> Components: ResourceResolver
> Affects Versions: Resource Resolver 1.11.0
> Reporter: Konrad Windszus
> Priority: Major
>
> The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute
> from either
> - the underlying resource provider or
> - the authentication info passed to the factory
> In addition it filters out some attributes supposed to contain sensitive
> information
> (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
> Although there is some JCR specific authentication info filtered in
> https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
> this is not-effective as the authentication info is retrieved without
> consulting any resource provider.
> This affects the attribute {{user.jcr.credentials}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
