[
https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17027304#comment-17027304
]
Sonal Gupta commented on SLING-9043:
------------------------------------
[~reschke] There was an issue opened for COPY function vulnerability inside
AdobeĀ as we are using COPY method to copy nodes in our CRX UI. we are nit
using MOVE html request method in our code hence no vulnerability was raised
for the same. So i fixed for COPY only. If required we can add MOVE as well.
Please suggest.
> COPY should be in the referer filter's default list of protected HTTP methods
> -----------------------------------------------------------------------------
>
> Key: SLING-9043
> URL: https://issues.apache.org/jira/browse/SLING-9043
> Project: Sling
> Issue Type: Bug
> Components: Resource Access Security
> Reporter: Sonal Gupta
> Priority: Major
> Labels: vulnerability
>
> The COPY method , by default, is not in the list of methods covered by the
> CSRF Referer filter. This might allow an attacker to copy files (abusing the
> privileges of a logged in victim) using CSRF.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
