[
https://issues.apache.org/jira/browse/SLING-6708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940587#comment-15940587
]
Stefan Seifert commented on SLING-6708:
---------------------------------------
not sure what should be fixed inside sling or SDI for this issue.
you can always make the pattern more explicit in your webserver configuration
and let only requests pass to URLs where you expect and allow it.
> Sling Dynamic Include - Usage of nocache selector allows uncached access to
> everything
> --------------------------------------------------------------------------------------
>
> Key: SLING-6708
> URL: https://issues.apache.org/jira/browse/SLING-6708
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: Dynamic Include 3.0.0, Dynamic Include 3.0.2
> Reporter: Henry Kuijpers
> Priority: Blocker
>
> The SDI module works with a nocache-selector (or a selector that we
> arbitrarily choose).
> However, we cannot guarantee that only SDI's requests come in through the
> nocache-selector. It can be any request.
> This document says https://github.com/Cognifide/Sling-Dynamic-Include
> that we should configure the Dispatcher to not cache when
> {code}*.nocache.html*{code} can be applied to the request.
> This means that anyone can use the nocache-selector on any request to bypass
> Dispatcher caching for html files.
> It even means that ".nocache.html" can appear anywhere in the full request
> URL.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
