[
https://issues.apache.org/jira/browse/SLING-3379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893433#comment-13893433
]
Anthony Rumsey commented on SLING-3379:
---------------------------------------
If I am not mistaken, this is what is going on: the opting servlet is used in
the first phase where sling tries to find a matching servlet/script, before the
second phase that has one servlet identified already and simply calls it.
Multiple candidates can come into play in the resolution process, say an
overlayed script in the search path or multiple selectors matching
(resourcetype/selector/html.jsp vs. resourcetype/selector.jsp). There is a
weighting algorithm going on to prefer the right things (albeit you can still
come up with complicated cases). This phase might end up with multiple matches,
usually you have at least also the default GET or POST servlet waiting as
fallback.
If any of these implement the OptingServlet they are asked if they will accept
the request. If they don't, they will get kicked out of the list.
After that, the top match will be picked and called.
Now I assume because the very explicit "/*.servlet" resource type is used
(usually reserved for registering java based servlets with one string), that
first step is essentially skipped and the servlet behind that it is directly
called - thus skipping the OptingServlet call, and not relying on the selector.
> OptingServlet accepts method bypassed
> -------------------------------------
>
> Key: SLING-3379
> URL: https://issues.apache.org/jira/browse/SLING-3379
> Project: Sling
> Issue Type: Bug
> Reporter: Anthony Rumsey
>
> It is possible for the accepts method of the OptingServlet interface to be
> bypassed under certain conditions.
> For example consider a servlet called MyServlet that has a resourceType of
> "myapp/components/foo” and allows the POST method with a selector of “bar”.
> This servlet also implements the OptingServlet interface and has an ‘accepts’
> method that checks the extension on the request.
> During some security testing I discovered that when I give a node a
> sling:resourceType of "myapp/components/foo.POST.servlet”, I can POST to this
> node with no selector and any extension I want which will still resolve to
> the MyServlet but not call the “accepts” method from the OptingServlet
> interface and goes directly to the doPost method.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
