[ https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032288#comment-17032288 ]
Lars Krapf commented on SLING-9043: ----------------------------------- [~reschke], [~kwin]: [~sonagupt] has updated the PR and added MOVE. Any more concerns from your side? Merci! > COPY should be in the referer filter's default list of protected HTTP methods > ----------------------------------------------------------------------------- > > Key: SLING-9043 > URL: https://issues.apache.org/jira/browse/SLING-9043 > Project: Sling > Issue Type: Bug > Components: Resource Access Security > Reporter: Sonal Gupta > Priority: Major > Labels: vulnerability > Time Spent: 20m > Remaining Estimate: 0h > > The COPY method , by default, is not in the list of methods covered by the > CSRF Referer filter. This might allow an attacker to copy files (abusing the > privileges of a logged in victim) using CSRF. -- This message was sent by Atlassian Jira (v8.3.4#803005)