Hi, On 20.06.2018 19:02, Eric Norman wrote: > It seems to me that there a risk that this endpoint could leave the system > vulnerable to an information disclosure attack. > > This is the kind of data that would be useful in refining an attack on the > server. I was thinking the same thing. I think this should be protected and of course the risks of exposing this endpoint should be documented. > Regards, > Eric > > On Wed, Jun 20, 2018, 7:09 AM Robert Munteanu <[email protected]> wrote: > >> Hi Bertrand, >> >> On Wed, 2018-06-20 at 15:38 +0200, Bertrand Delacretaz wrote: >>> Hi, >>> >>> I've been working on a (very simple) module to create a >>> "capabilities" >>> endpoint, where a Sling instance can let HTTP clients know about its >>> version levels, presence or absence of certain services etc. >>> >>> It's at https://github.com/apache/sling-whiteboard/tree/master/capabi >>> lities >>> and if no one is opposed I'll move it to its own module and make a >>> first release later this week. >>> >>> Feedback is welcome. >> I took a look and it's nice and compact, I like it :-) >> >> My single note is that the CapabilitiesSource's javadoc says that "(the >> capability) name must be unique in a given Sling instance.". I don't >> see this enforced or at least checked + logged anywhere. Do you plan to >> introduce that? >> >> Thanks, >> >> Robert >>
signature.asc
Description: OpenPGP digital signature
