Anthony Rumsey created SLING-3379:
-------------------------------------
Summary: OptingServlet accepts method bypassed
Key: SLING-3379
URL: https://issues.apache.org/jira/browse/SLING-3379
Project: Sling
Issue Type: Bug
Reporter: Anthony Rumsey
It is possible for the accepts method of the OptingServlet interface to be
bypassed under certain conditions.
For example consider a servlet called MyServlet that has a resourceType of
"myapp/components/foo” and allows the POST method with a selector of “bar”.
This servlet also implements the OptingServlet interface and has an ‘accepts’
method that checks the extension on the request.
During some security testing I discovered that when I give a node a
sling:resourceType of "myapp/components/foo.POST.servlet”, I can POST to this
node with no selector and any extension I want which will still resolve to the
MyServlet but not call the “accepts” method from the OptingServlet interface
and goes directly to the doPost method.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
